PodSecurity: restricted capabilities: regenerate files

This commit is contained in:
Jordan Liggitt 2021-07-07 17:28:51 -04:00
parent f10dfc6e30
commit 62b71175e7
5 changed files with 92 additions and 92 deletions

View File

@ -14,7 +14,9 @@ spec:
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:

View File

@ -10,87 +10,13 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
capabilities: {}
securityContext:
runAsNonRoot: true
seccompProfile:

View File

@ -9,44 +9,88 @@ spec:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
drop:
- ALL
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
drop:
- ALL
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
securityContext:
runAsNonRoot: true
seccompProfile:

View File

@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted1
name: capabilities_restricted3
spec:
containers:
- image: k8s.gcr.io/pause
@ -10,7 +10,19 @@ spec:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
initContainers:
@ -20,7 +32,19 @@ spec:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
securityContext:

View File

@ -9,6 +9,8 @@ spec:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
initContainers:
@ -17,6 +19,8 @@ spec:
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
securityContext: