PodSecurity: restricted capabilities: regenerate files

2025-07-26 05:03:09 +00:00 · 2021-07-07 17:28:51 -04:00 · 2021-07-07 17:28:51 -04:00 · 62b71175e7
commit 62b71175e7
parent f10dfc6e30
5 changed files with 92 additions and 92 deletions
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml
@ -14,7 +14,9 @@ spec:
    name: initcontainer1
    securityContext:
      allowPrivilegeEscalation: false
-      capabilities: {}
+      capabilities:
+        drop:
+        - ALL
  securityContext:
    runAsNonRoot: true
    seccompProfile:
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml
@ -10,87 +10,13 @@ spec:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
-        - SYS_TIME
-        - SYS_MODULE
-        - SYS_RAWIO
-        - SYS_PACCT
-        - SYS_ADMIN
-        - SYS_NICE
-        - SYS_RESOURCE
-        - SYS_TIME
-        - SYS_TTY_CONFIG
-        - MKNOD
-        - AUDIT_WRITE
-        - AUDIT_CONTROL
-        - MAC_OVERRIDE
-        - MAC_ADMIN
-        - NET_ADMIN
-        - SYSLOG
-        - CHOWN
-        - NET_RAW
-        - DAC_OVERRIDE
-        - FOWNER
-        - DAC_READ_SEARCH
-        - FSETID
-        - KILL
-        - SETGID
-        - SETUID
-        - LINUX_IMMUTABLE
-        - NET_BIND_SERVICE
-        - NET_BROADCAST
-        - IPC_LOCK
-        - IPC_OWNER
-        - SYS_CHROOT
-        - SYS_PTRACE
-        - SYS_BOOT
-        - LEASE
-        - SETFCAP
-        - WAKE_ALARM
-        - BLOCK_SUSPEND
+        - ALL
  initContainers:
  - image: k8s.gcr.io/pause
    name: initcontainer1
    securityContext:
      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - SYS_TIME
-        - SYS_MODULE
-        - SYS_RAWIO
-        - SYS_PACCT
-        - SYS_ADMIN
-        - SYS_NICE
-        - SYS_RESOURCE
-        - SYS_TIME
-        - SYS_TTY_CONFIG
-        - MKNOD
-        - AUDIT_WRITE
-        - AUDIT_CONTROL
-        - MAC_OVERRIDE
-        - MAC_ADMIN
-        - NET_ADMIN
-        - SYSLOG
-        - CHOWN
-        - NET_RAW
-        - DAC_OVERRIDE
-        - FOWNER
-        - DAC_READ_SEARCH
-        - FSETID
-        - KILL
-        - SETGID
-        - SETUID
-        - LINUX_IMMUTABLE
-        - NET_BIND_SERVICE
-        - NET_BROADCAST
-        - IPC_LOCK
-        - IPC_OWNER
-        - SYS_CHROOT
-        - SYS_PTRACE
-        - SYS_BOOT
-        - LEASE
-        - SETFCAP
-        - WAKE_ALARM
-        - BLOCK_SUSPEND
+      capabilities: {}
  securityContext:
    runAsNonRoot: true
    seccompProfile:
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml
@ -9,44 +9,88 @@ spec:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
-        add:
+        drop:
+        - SYS_TIME
+        - SYS_MODULE
+        - SYS_RAWIO
+        - SYS_PACCT
+        - SYS_ADMIN
+        - SYS_NICE
+        - SYS_RESOURCE
+        - SYS_TIME
+        - SYS_TTY_CONFIG
+        - MKNOD
        - AUDIT_WRITE
+        - AUDIT_CONTROL
+        - MAC_OVERRIDE
+        - MAC_ADMIN
+        - NET_ADMIN
+        - SYSLOG
        - CHOWN
+        - NET_RAW
        - DAC_OVERRIDE
        - FOWNER
+        - DAC_READ_SEARCH
        - FSETID
        - KILL
-        - MKNOD
-        - NET_BIND_SERVICE
-        - SETFCAP
        - SETGID
-        - SETPCAP
        - SETUID
+        - LINUX_IMMUTABLE
+        - NET_BIND_SERVICE
+        - NET_BROADCAST
+        - IPC_LOCK
+        - IPC_OWNER
        - SYS_CHROOT
-        drop:
-        - ALL
+        - SYS_PTRACE
+        - SYS_BOOT
+        - LEASE
+        - SETFCAP
+        - WAKE_ALARM
+        - BLOCK_SUSPEND
  initContainers:
  - image: k8s.gcr.io/pause
    name: initcontainer1
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
-        add:
+        drop:
+        - SYS_TIME
+        - SYS_MODULE
+        - SYS_RAWIO
+        - SYS_PACCT
+        - SYS_ADMIN
+        - SYS_NICE
+        - SYS_RESOURCE
+        - SYS_TIME
+        - SYS_TTY_CONFIG
+        - MKNOD
        - AUDIT_WRITE
+        - AUDIT_CONTROL
+        - MAC_OVERRIDE
+        - MAC_ADMIN
+        - NET_ADMIN
+        - SYSLOG
        - CHOWN
+        - NET_RAW
        - DAC_OVERRIDE
        - FOWNER
+        - DAC_READ_SEARCH
        - FSETID
        - KILL
-        - MKNOD
-        - NET_BIND_SERVICE
-        - SETFCAP
        - SETGID
-        - SETPCAP
        - SETUID
+        - LINUX_IMMUTABLE
+        - NET_BIND_SERVICE
+        - NET_BROADCAST
+        - IPC_LOCK
+        - IPC_OWNER
        - SYS_CHROOT
-        drop:
-        - ALL
+        - SYS_PTRACE
+        - SYS_BOOT
+        - LEASE
+        - SETFCAP
+        - WAKE_ALARM
+        - BLOCK_SUSPEND
  securityContext:
    runAsNonRoot: true
    seccompProfile:
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml
@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: capabilities_restricted1
+  name: capabilities_restricted3
 spec:
  containers:
  - image: k8s.gcr.io/pause
@ -10,7 +10,19 @@ spec:
      allowPrivilegeEscalation: false
      capabilities:
        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
        drop:
        - ALL
  initContainers:
@ -20,7 +32,19 @@ spec:
      allowPrivilegeEscalation: false
      capabilities:
        add:
+        - AUDIT_WRITE
+        - CHOWN
+        - DAC_OVERRIDE
+        - FOWNER
+        - FSETID
+        - KILL
+        - MKNOD
        - NET_BIND_SERVICE
+        - SETFCAP
+        - SETGID
+        - SETPCAP
+        - SETUID
+        - SYS_CHROOT
        drop:
        - ALL
  securityContext:
--- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml
+++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml
@ -9,6 +9,8 @@ spec:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
+        add:
+        - NET_BIND_SERVICE
        drop:
        - ALL
  initContainers:
@ -17,6 +19,8 @@ spec:
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
+        add:
+        - NET_BIND_SERVICE
        drop:
        - ALL
  securityContext: