From 1ac0e018d5bcc4f81b54fa4ffcab96b4da2ccfd4 Mon Sep 17 00:00:00 2001 From: njuptlzf Date: Wed, 30 Jun 2021 11:29:41 +0800 Subject: [PATCH] [PodSecurity] Implement sysctls check --- .../policy/check_sysctls.go | 75 +++++++++++++++++++ .../test/fixtures_sysctls.go | 71 ++++++++++++++++++ .../testdata/baseline/v1.0/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.0/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.0/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.1/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.1/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.1/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.10/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.10/pass/sysctls0.yaml | 12 +++ .../baseline/v1.10/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.11/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.11/pass/sysctls0.yaml | 12 +++ .../baseline/v1.11/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.12/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.12/pass/sysctls0.yaml | 12 +++ .../baseline/v1.12/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.13/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.13/pass/sysctls0.yaml | 12 +++ .../baseline/v1.13/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.14/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.14/pass/sysctls0.yaml | 12 +++ .../baseline/v1.14/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.15/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.15/pass/sysctls0.yaml | 12 +++ .../baseline/v1.15/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.16/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.16/pass/sysctls0.yaml | 12 +++ .../baseline/v1.16/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.17/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.17/pass/sysctls0.yaml | 12 +++ .../baseline/v1.17/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.18/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.18/pass/sysctls0.yaml | 12 +++ .../baseline/v1.18/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.19/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.19/pass/sysctls0.yaml | 12 +++ .../baseline/v1.19/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.2/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.2/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.2/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.20/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.20/pass/sysctls0.yaml | 12 +++ .../baseline/v1.20/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.21/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.21/pass/sysctls0.yaml | 12 +++ .../baseline/v1.21/pass/sysctls1.yaml | 21 ++++++ .../baseline/v1.22/fail/sysctls0.yaml | 15 ++++ .../baseline/v1.22/pass/sysctls0.yaml | 12 +++ .../baseline/v1.22/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.3/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.3/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.3/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.4/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.4/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.4/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.5/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.5/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.5/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.6/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.6/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.6/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.7/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.7/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.7/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.8/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.8/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.8/pass/sysctls1.yaml | 21 ++++++ .../testdata/baseline/v1.9/fail/sysctls0.yaml | 15 ++++ .../testdata/baseline/v1.9/pass/sysctls0.yaml | 12 +++ .../testdata/baseline/v1.9/pass/sysctls1.yaml | 21 ++++++ .../restricted/v1.0/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.0/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.0/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.1/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.1/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.1/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.10/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.10/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.10/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.11/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.11/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.11/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.12/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.12/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.12/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.13/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.13/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.13/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.14/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.14/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.14/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.15/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.15/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.15/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.16/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.16/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.16/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.17/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.17/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.17/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.18/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.18/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.18/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.19/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.19/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.19/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.2/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.2/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.2/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.20/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.20/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.20/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.21/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.21/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.21/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.22/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.22/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.22/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.3/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.3/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.3/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.4/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.4/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.4/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.5/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.5/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.5/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.6/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.6/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.6/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.7/fail/sysctls0.yaml | 16 ++++ .../restricted/v1.7/pass/sysctls0.yaml | 13 ++++ .../restricted/v1.7/pass/sysctls1.yaml | 22 ++++++ .../restricted/v1.8/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.8/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.8/pass/sysctls1.yaml | 26 +++++++ .../restricted/v1.9/fail/sysctls0.yaml | 20 +++++ .../restricted/v1.9/pass/sysctls0.yaml | 17 +++++ .../restricted/v1.9/pass/sysctls1.yaml | 26 +++++++ 140 files changed, 2603 insertions(+) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go new file mode 100644 index 00000000000..f65a2ad49a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go @@ -0,0 +1,75 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/pod-security-admission/api" +) + +func init() { + addCheck(CheckSysctls) +} + +// CheckSysctls returns a baseline level check +// that limits the value of sysctls in 1.0+ +func CheckSysctls() Check { + return Check{ + ID: "sysctls", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: checkSysctls_1_0, + }, + }, + } +} + +var ( + sysctls_allowed_1_0 = sets.NewString( + "kernel.shm_rmid_forced", + "net.ipv4.ip_local_port_range", + "net.ipv4.tcp_syncookies", + "net.ipv4.ping_group_range", + ) +) + +func checkSysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + var forbiddenSysctls []string + + if podSpec.SecurityContext != nil { + for _, sysctl := range podSpec.SecurityContext.Sysctls { + if !sysctls_allowed_1_0.Has(sysctl.Name) { + forbiddenSysctls = append(forbiddenSysctls, sysctl.Name) + } + } + } + + if len(forbiddenSysctls) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "forbidden sysctls", + ForbiddenDetail: strings.Join(forbiddenSysctls, ", "), + } + } + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go new file mode 100644 index 00000000000..3590023941a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go @@ -0,0 +1,71 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +/* +TODO: include field paths in reflect-based unit test + +podFields: []string{ + `spec.securityContext.sysctls.name`, +}, +*/ + +func init() { + fixtureData_1_0 := fixtureGenerator{ + expectErrorSubstring: "forbidden sysctl", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + if p.Spec.SecurityContext == nil { + p.Spec.SecurityContext = &corev1.PodSecurityContext{} + } + return []*corev1.Pod{ + // security context with no sysctls + tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }), + // sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range" + // "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range" + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{ + {Name: "kernel.shm_rmid_forced", Value: "0"}, + {Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"}, + {Name: "net.ipv4.tcp_syncookies", Value: "0"}, + {Name: "net.ipv4.ping_group_range", Value: "1 0"}, + } + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + if p.Spec.SecurityContext == nil { + p.Spec.SecurityContext = &corev1.PodSecurityContext{} + } + return []*corev1.Pod{ + // sysctls with out of allowed name + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{{Name: "othersysctl", Value: "other"}} + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "sysctls"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/sysctls0.yaml new file mode 100755 index 00000000000..399f09abdd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls0.yaml new file mode 100755 index 00000000000..221a8da2afe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml new file mode 100755 index 00000000000..ee4a499ff5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/sysctls1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/sysctls0.yaml new file mode 100755 index 00000000000..780a6ed9b2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/sysctls0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls0.yaml new file mode 100755 index 00000000000..86a9991c357 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml new file mode 100755 index 00000000000..220289ae3be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/sysctls1.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/sysctls0.yaml new file mode 100755 index 00000000000..21d63a65a8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/sysctls0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls0.yaml new file mode 100755 index 00000000000..e5e3fb64968 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml new file mode 100755 index 00000000000..1a364429f4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/sysctls1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0