From 1441a3303002f0ec5fd1c83a9f5098aa26b600bb Mon Sep 17 00:00:00 2001 From: Samuel Roth Date: Tue, 29 Jun 2021 19:55:31 -0400 Subject: [PATCH] hostPath baseline check for Pod Security Standards graduate IngressClassNamespacedParams to beta add fuzzer patch to fix tests Destroy the created runtimeclass resources at the end of the test case. addressing comments dont ensure security context --- .../policy/check_hostPath.go | 75 +++++++++++ .../test/fixtures_hostPath.go | 118 ++++++++++++++++++ .../baseline/v1.0/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.0/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.0/pass/hostpath0.yaml | 11 ++ .../baseline/v1.1/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.1/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.1/pass/hostpath0.yaml | 11 ++ .../baseline/v1.10/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.10/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.10/pass/hostpath0.yaml | 11 ++ .../baseline/v1.11/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.11/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.11/pass/hostpath0.yaml | 11 ++ .../baseline/v1.12/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.12/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.12/pass/hostpath0.yaml | 11 ++ .../baseline/v1.13/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.13/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.13/pass/hostpath0.yaml | 11 ++ .../baseline/v1.14/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.14/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.14/pass/hostpath0.yaml | 11 ++ .../baseline/v1.15/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.15/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.15/pass/hostpath0.yaml | 11 ++ .../baseline/v1.16/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.16/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.16/pass/hostpath0.yaml | 11 ++ .../baseline/v1.17/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.17/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.17/pass/hostpath0.yaml | 11 ++ .../baseline/v1.18/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.18/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.18/pass/hostpath0.yaml | 11 ++ .../baseline/v1.19/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.19/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.19/pass/hostpath0.yaml | 11 ++ .../baseline/v1.2/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.2/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.2/pass/hostpath0.yaml | 11 ++ .../baseline/v1.20/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.20/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.20/pass/hostpath0.yaml | 11 ++ .../baseline/v1.21/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.21/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.21/pass/hostpath0.yaml | 11 ++ .../baseline/v1.22/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.22/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.22/pass/hostpath0.yaml | 11 ++ .../baseline/v1.3/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.3/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.3/pass/hostpath0.yaml | 11 ++ .../baseline/v1.4/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.4/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.4/pass/hostpath0.yaml | 11 ++ .../baseline/v1.5/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.5/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.5/pass/hostpath0.yaml | 11 ++ .../baseline/v1.6/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.6/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.6/pass/hostpath0.yaml | 11 ++ .../baseline/v1.7/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.7/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.7/pass/hostpath0.yaml | 11 ++ .../baseline/v1.8/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.8/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.8/pass/hostpath0.yaml | 11 ++ .../baseline/v1.9/fail/hostpath0.yaml | 27 ++++ .../baseline/v1.9/fail/hostpath1.yaml | 21 ++++ .../baseline/v1.9/pass/hostpath0.yaml | 11 ++ .../restricted/v1.0/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.0/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.0/pass/hostpath0.yaml | 13 ++ .../restricted/v1.1/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.1/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.1/pass/hostpath0.yaml | 13 ++ .../restricted/v1.10/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.10/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.10/pass/hostpath0.yaml | 17 +++ .../restricted/v1.11/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.11/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.11/pass/hostpath0.yaml | 17 +++ .../restricted/v1.12/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.12/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.12/pass/hostpath0.yaml | 17 +++ .../restricted/v1.13/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.13/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.13/pass/hostpath0.yaml | 17 +++ .../restricted/v1.14/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.14/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.14/pass/hostpath0.yaml | 17 +++ .../restricted/v1.15/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.15/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.15/pass/hostpath0.yaml | 17 +++ .../restricted/v1.16/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.16/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.16/pass/hostpath0.yaml | 17 +++ .../restricted/v1.17/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.17/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.17/pass/hostpath0.yaml | 17 +++ .../restricted/v1.18/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.18/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.18/pass/hostpath0.yaml | 17 +++ .../restricted/v1.19/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.19/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.19/pass/hostpath0.yaml | 17 +++ .../restricted/v1.2/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.2/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.2/pass/hostpath0.yaml | 13 ++ .../restricted/v1.20/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.20/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.20/pass/hostpath0.yaml | 17 +++ .../restricted/v1.21/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.21/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.21/pass/hostpath0.yaml | 17 +++ .../restricted/v1.22/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.22/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.22/pass/hostpath0.yaml | 17 +++ .../restricted/v1.3/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.3/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.3/pass/hostpath0.yaml | 13 ++ .../restricted/v1.4/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.4/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.4/pass/hostpath0.yaml | 13 ++ .../restricted/v1.5/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.5/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.5/pass/hostpath0.yaml | 13 ++ .../restricted/v1.6/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.6/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.6/pass/hostpath0.yaml | 13 ++ .../restricted/v1.7/fail/hostpath0.yaml | 29 +++++ .../restricted/v1.7/fail/hostpath1.yaml | 23 ++++ .../restricted/v1.7/pass/hostpath0.yaml | 13 ++ .../restricted/v1.8/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.8/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.8/pass/hostpath0.yaml | 17 +++ .../restricted/v1.9/fail/hostpath0.yaml | 33 +++++ .../restricted/v1.9/fail/hostpath1.yaml | 27 ++++ .../restricted/v1.9/pass/hostpath0.yaml | 17 +++ 140 files changed, 3225 insertions(+) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go new file mode 100644 index 00000000000..e6a78baea8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go @@ -0,0 +1,75 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/pod-security-admission/api" +) + +/* +HostPath volumes must be forbidden. + +**Restricted Fields:** + +spec.volumes[*].hostPath + +**Allowed Values:** undefined/nil +*/ + +func init() { + addCheck(CheckHostPath) +} + +// CheckHostPath returns a baseline level check +// that requires hostPath=undefined/nil in 1.0+ +func CheckHostPath() Check { + return Check{ + ID: "hostPath", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: hostPath_1_0, + }, + }, + } +} + +func hostPath_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + hostVolumes := sets.NewString() + + for _, volume := range podSpec.Volumes { + if volume.HostPath != nil { + hostVolumes.Insert(volume.Name) + } + } + + if len(hostVolumes) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "hostPath volumes", + ForbiddenDetail: fmt.Sprintf("volumes %q", hostVolumes.List()), + } + } + + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go new file mode 100644 index 00000000000..90db528ac45 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go @@ -0,0 +1,118 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +/* +TODO: include field paths in reflect-based unit test +*/ + +func init() { + + fixtureData_1_0 := fixtureGenerator{ + expectErrorSubstring: "hostPath volumes", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{p} // minimal valid pod + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{ + // mix of hostPath and non-hostPath volumes + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-hostpath", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/dev/null", + }, + }, + }, + { + Name: "volume-emptydir", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "volume-configmap", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "configmap", + }, + Items: []corev1.KeyToPath{ + { + Key: "log_level", + Path: "log_level", + }, + }, + }, + }, + }, + { + Name: "configmap", + VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: "hello", + ReadOnly: true, + }, + }, + }, + } + }), + // just hostPath volumes + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-hostpath-null", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/dev/null", + }, + }, + }, + { + Name: "volume-hostpath-docker", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/var/lib/docker", + }, + }, + }, + { + Name: "volume-hostpath-sys", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/sys", + }, + }, + }, + } + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "hostPath"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true