From 5bd3334ad69a074fafa7f1153e48ae08ca196b07 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 30 Jun 2021 11:02:22 -0400 Subject: [PATCH] [PodSecurity] Add privileged containers baseline check Signed-off-by: Anish Ramasekar --- .../policy/check_privileged.go | 72 +++++++++++++++++++ .../test/fixtures_privileged.go | 67 +++++++++++++++++ .../baseline/v1.0/fail/privileged0.yaml | 15 ++++ .../baseline/v1.0/fail/privileged1.yaml | 15 ++++ .../baseline/v1.0/pass/privileged0.yaml | 16 +++++ .../baseline/v1.1/fail/privileged0.yaml | 15 ++++ .../baseline/v1.1/fail/privileged1.yaml | 15 ++++ .../baseline/v1.1/pass/privileged0.yaml | 16 +++++ .../baseline/v1.10/fail/privileged0.yaml | 15 ++++ .../baseline/v1.10/fail/privileged1.yaml | 15 ++++ .../baseline/v1.10/pass/privileged0.yaml | 16 +++++ .../baseline/v1.11/fail/privileged0.yaml | 15 ++++ .../baseline/v1.11/fail/privileged1.yaml | 15 ++++ .../baseline/v1.11/pass/privileged0.yaml | 16 +++++ .../baseline/v1.12/fail/privileged0.yaml | 15 ++++ .../baseline/v1.12/fail/privileged1.yaml | 15 ++++ .../baseline/v1.12/pass/privileged0.yaml | 16 +++++ .../baseline/v1.13/fail/privileged0.yaml | 15 ++++ .../baseline/v1.13/fail/privileged1.yaml | 15 ++++ .../baseline/v1.13/pass/privileged0.yaml | 16 +++++ .../baseline/v1.14/fail/privileged0.yaml | 15 ++++ .../baseline/v1.14/fail/privileged1.yaml | 15 ++++ .../baseline/v1.14/pass/privileged0.yaml | 16 +++++ .../baseline/v1.15/fail/privileged0.yaml | 15 ++++ .../baseline/v1.15/fail/privileged1.yaml | 15 ++++ .../baseline/v1.15/pass/privileged0.yaml | 16 +++++ .../baseline/v1.16/fail/privileged0.yaml | 15 ++++ .../baseline/v1.16/fail/privileged1.yaml | 15 ++++ .../baseline/v1.16/pass/privileged0.yaml | 16 +++++ .../baseline/v1.17/fail/privileged0.yaml | 15 ++++ .../baseline/v1.17/fail/privileged1.yaml | 15 ++++ .../baseline/v1.17/pass/privileged0.yaml | 16 +++++ .../baseline/v1.18/fail/privileged0.yaml | 15 ++++ .../baseline/v1.18/fail/privileged1.yaml | 15 ++++ .../baseline/v1.18/pass/privileged0.yaml | 16 +++++ .../baseline/v1.19/fail/privileged0.yaml | 15 ++++ .../baseline/v1.19/fail/privileged1.yaml | 15 ++++ .../baseline/v1.19/pass/privileged0.yaml | 16 +++++ .../baseline/v1.2/fail/privileged0.yaml | 15 ++++ .../baseline/v1.2/fail/privileged1.yaml | 15 ++++ .../baseline/v1.2/pass/privileged0.yaml | 16 +++++ .../baseline/v1.20/fail/privileged0.yaml | 15 ++++ .../baseline/v1.20/fail/privileged1.yaml | 15 ++++ .../baseline/v1.20/pass/privileged0.yaml | 16 +++++ .../baseline/v1.21/fail/privileged0.yaml | 15 ++++ .../baseline/v1.21/fail/privileged1.yaml | 15 ++++ .../baseline/v1.21/pass/privileged0.yaml | 16 +++++ .../baseline/v1.22/fail/privileged0.yaml | 15 ++++ .../baseline/v1.22/fail/privileged1.yaml | 15 ++++ .../baseline/v1.22/pass/privileged0.yaml | 16 +++++ .../baseline/v1.3/fail/privileged0.yaml | 15 ++++ .../baseline/v1.3/fail/privileged1.yaml | 15 ++++ .../baseline/v1.3/pass/privileged0.yaml | 16 +++++ .../baseline/v1.4/fail/privileged0.yaml | 15 ++++ .../baseline/v1.4/fail/privileged1.yaml | 15 ++++ .../baseline/v1.4/pass/privileged0.yaml | 16 +++++ .../baseline/v1.5/fail/privileged0.yaml | 15 ++++ .../baseline/v1.5/fail/privileged1.yaml | 15 ++++ .../baseline/v1.5/pass/privileged0.yaml | 16 +++++ .../baseline/v1.6/fail/privileged0.yaml | 15 ++++ .../baseline/v1.6/fail/privileged1.yaml | 15 ++++ .../baseline/v1.6/pass/privileged0.yaml | 16 +++++ .../baseline/v1.7/fail/privileged0.yaml | 15 ++++ .../baseline/v1.7/fail/privileged1.yaml | 15 ++++ .../baseline/v1.7/pass/privileged0.yaml | 16 +++++ .../baseline/v1.8/fail/privileged0.yaml | 15 ++++ .../baseline/v1.8/fail/privileged1.yaml | 15 ++++ .../baseline/v1.8/pass/privileged0.yaml | 16 +++++ .../baseline/v1.9/fail/privileged0.yaml | 15 ++++ .../baseline/v1.9/fail/privileged1.yaml | 15 ++++ .../baseline/v1.9/pass/privileged0.yaml | 16 +++++ .../restricted/v1.0/fail/privileged0.yaml | 16 +++++ .../restricted/v1.0/fail/privileged1.yaml | 16 +++++ .../restricted/v1.0/pass/privileged0.yaml | 17 +++++ .../restricted/v1.1/fail/privileged0.yaml | 16 +++++ .../restricted/v1.1/fail/privileged1.yaml | 16 +++++ .../restricted/v1.1/pass/privileged0.yaml | 17 +++++ .../restricted/v1.10/fail/privileged0.yaml | 17 +++++ .../restricted/v1.10/fail/privileged1.yaml | 17 +++++ .../restricted/v1.10/pass/privileged0.yaml | 19 +++++ .../restricted/v1.11/fail/privileged0.yaml | 17 +++++ .../restricted/v1.11/fail/privileged1.yaml | 17 +++++ .../restricted/v1.11/pass/privileged0.yaml | 19 +++++ .../restricted/v1.12/fail/privileged0.yaml | 17 +++++ .../restricted/v1.12/fail/privileged1.yaml | 17 +++++ .../restricted/v1.12/pass/privileged0.yaml | 19 +++++ .../restricted/v1.13/fail/privileged0.yaml | 17 +++++ .../restricted/v1.13/fail/privileged1.yaml | 17 +++++ .../restricted/v1.13/pass/privileged0.yaml | 19 +++++ .../restricted/v1.14/fail/privileged0.yaml | 17 +++++ .../restricted/v1.14/fail/privileged1.yaml | 17 +++++ .../restricted/v1.14/pass/privileged0.yaml | 19 +++++ .../restricted/v1.15/fail/privileged0.yaml | 17 +++++ .../restricted/v1.15/fail/privileged1.yaml | 17 +++++ .../restricted/v1.15/pass/privileged0.yaml | 19 +++++ .../restricted/v1.16/fail/privileged0.yaml | 17 +++++ .../restricted/v1.16/fail/privileged1.yaml | 17 +++++ .../restricted/v1.16/pass/privileged0.yaml | 19 +++++ .../restricted/v1.17/fail/privileged0.yaml | 17 +++++ .../restricted/v1.17/fail/privileged1.yaml | 17 +++++ .../restricted/v1.17/pass/privileged0.yaml | 19 +++++ .../restricted/v1.18/fail/privileged0.yaml | 17 +++++ .../restricted/v1.18/fail/privileged1.yaml | 17 +++++ .../restricted/v1.18/pass/privileged0.yaml | 19 +++++ .../restricted/v1.19/fail/privileged0.yaml | 17 +++++ .../restricted/v1.19/fail/privileged1.yaml | 17 +++++ .../restricted/v1.19/pass/privileged0.yaml | 19 +++++ .../restricted/v1.2/fail/privileged0.yaml | 16 +++++ .../restricted/v1.2/fail/privileged1.yaml | 16 +++++ .../restricted/v1.2/pass/privileged0.yaml | 17 +++++ .../restricted/v1.20/fail/privileged0.yaml | 17 +++++ .../restricted/v1.20/fail/privileged1.yaml | 17 +++++ .../restricted/v1.20/pass/privileged0.yaml | 19 +++++ .../restricted/v1.21/fail/privileged0.yaml | 17 +++++ .../restricted/v1.21/fail/privileged1.yaml | 17 +++++ .../restricted/v1.21/pass/privileged0.yaml | 19 +++++ .../restricted/v1.22/fail/privileged0.yaml | 17 +++++ .../restricted/v1.22/fail/privileged1.yaml | 17 +++++ .../restricted/v1.22/pass/privileged0.yaml | 19 +++++ .../restricted/v1.3/fail/privileged0.yaml | 16 +++++ .../restricted/v1.3/fail/privileged1.yaml | 16 +++++ .../restricted/v1.3/pass/privileged0.yaml | 17 +++++ .../restricted/v1.4/fail/privileged0.yaml | 16 +++++ .../restricted/v1.4/fail/privileged1.yaml | 16 +++++ .../restricted/v1.4/pass/privileged0.yaml | 17 +++++ .../restricted/v1.5/fail/privileged0.yaml | 16 +++++ .../restricted/v1.5/fail/privileged1.yaml | 16 +++++ .../restricted/v1.5/pass/privileged0.yaml | 17 +++++ .../restricted/v1.6/fail/privileged0.yaml | 16 +++++ .../restricted/v1.6/fail/privileged1.yaml | 16 +++++ .../restricted/v1.6/pass/privileged0.yaml | 17 +++++ .../restricted/v1.7/fail/privileged0.yaml | 16 +++++ .../restricted/v1.7/fail/privileged1.yaml | 16 +++++ .../restricted/v1.7/pass/privileged0.yaml | 17 +++++ .../restricted/v1.8/fail/privileged0.yaml | 17 +++++ .../restricted/v1.8/fail/privileged1.yaml | 17 +++++ .../restricted/v1.8/pass/privileged0.yaml | 19 +++++ .../restricted/v1.9/fail/privileged0.yaml | 17 +++++ .../restricted/v1.9/fail/privileged1.yaml | 17 +++++ .../restricted/v1.9/pass/privileged0.yaml | 19 +++++ test/integration/auth/podsecurity_test.go | 5 ++ 141 files changed, 2389 insertions(+) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_privileged.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/privileged0.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go b/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go new file mode 100644 index 00000000000..20fafa3bb1e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_privileged.go @@ -0,0 +1,72 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/pod-security-admission/api" +) + +/* +Privileged Pods disable most security mechanisms and must be disallowed. + +Restricted Fields: +spec.containers[*].securityContext.privileged +spec.initContainers[*].securityContext.privileged + +Allowed Values: false, undefined/nil +*/ + +func init() { + addCheck(CheckPrivileged) +} + +// CheckPrivileged returns a baseline level check +// that requires privileged=false in 1.0+ +func CheckPrivileged() Check { + return Check{ + ID: "privileged", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: privileged_1_0, + }, + }, + } +} + +func privileged_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + var forbiddenPaths []string + visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) { + if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged { + forbiddenPaths = append(forbiddenPaths, path.Child("securityContext", "privileged").String()) + } + }) + if len(forbiddenPaths) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "privileged == true", + ForbiddenDetail: strings.Join(forbiddenPaths, ", "), + } + } + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go new file mode 100644 index 00000000000..ffac5e3a45c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_privileged.go @@ -0,0 +1,67 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" + "k8s.io/utils/pointer" +) + +/* +TODO: include field paths in reflect-based unit test + +containerFields: []string{ + `securityContext.privileged`, +}, + +*/ + +func init() { + fixtureData_1_0 := fixtureGenerator{ + generatePass: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // privileged set to false + tweak(p, func(p *corev1.Pod) { + p.Spec.Containers[0].SecurityContext.Privileged = pointer.BoolPtr(false) + p.Spec.InitContainers[0].SecurityContext.Privileged = pointer.BoolPtr(false) + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // privileged set to true in container + tweak(p, func(p *corev1.Pod) { + p.Spec.Containers[0].SecurityContext.Privileged = pointer.BoolPtr(true) + p.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation = nil + }), + // privileged set to true in init container + tweak(p, func(p *corev1.Pod) { + p.Spec.InitContainers[0].SecurityContext.Privileged = pointer.BoolPtr(true) + p.Spec.InitContainers[0].SecurityContext.AllowPrivilegeEscalation = nil + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "privileged"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged0.yaml new file mode 100755 index 00000000000..71a106ad0c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged1.yaml new file mode 100755 index 00000000000..6c2336d227d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/privileged0.yaml new file mode 100755 index 00000000000..765eaec4fc6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged0.yaml new file mode 100755 index 00000000000..b3ff80dd340 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged1.yaml new file mode 100755 index 00000000000..be91b37029f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/privileged1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/privileged0.yaml new file mode 100755 index 00000000000..366f7a97428 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged0.yaml new file mode 100755 index 00000000000..1db3de5f92b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged1.yaml new file mode 100755 index 00000000000..222624aab0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/privileged1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/privileged0.yaml new file mode 100755 index 00000000000..0194f47aef1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/privileged0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + privileged: false + securityContext: + runAsNonRoot: true diff --git a/test/integration/auth/podsecurity_test.go b/test/integration/auth/podsecurity_test.go index 5a3afcb753c..bea7e700067 100644 --- a/test/integration/auth/podsecurity_test.go +++ b/test/integration/auth/podsecurity_test.go @@ -22,6 +22,7 @@ import ( utilfeature "k8s.io/apiserver/pkg/util/feature" featuregatetesting "k8s.io/component-base/featuregate/testing" kubeapiservertesting "k8s.io/kubernetes/cmd/kube-apiserver/app/testing" + "k8s.io/kubernetes/pkg/capabilities" "k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/test/integration/framework" podsecuritytest "k8s.io/pod-security-admission/test" @@ -32,10 +33,14 @@ func TestPodSecurity(t *testing.T) { server := kubeapiservertesting.StartTestServerOrDie(t, kubeapiservertesting.NewDefaultTestServerOptions(), []string{ "--anonymous-auth=false", "--enable-admission-plugins=PodSecurity", + "--allow-privileged=true", // TODO: "--admission-control-config-file=" + admissionConfigFile.Name(), }, framework.SharedEtcd()) defer server.TearDownFn() + // ensure the global is set to allow privileged containers + capabilities.SetForTests(capabilities.Capabilities{AllowPrivileged: true}) + opts := podsecuritytest.Options{ ClientConfig: server.ClientConfig,