From 62b71175e74a456bf0535aa079dac6f3238fbddc Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Wed, 7 Jul 2021 17:28:51 -0400 Subject: [PATCH] PodSecurity: restricted capabilities: regenerate files --- .../v1.22/fail/capabilities_restricted0.yaml | 4 +- .../v1.22/fail/capabilities_restricted1.yaml | 78 +------------------ .../v1.22/fail/capabilities_restricted2.yaml | 72 +++++++++++++---- .../capabilities_restricted3.yaml} | 26 ++++++- .../v1.22/pass/capabilities_restricted0.yaml | 4 + 5 files changed, 92 insertions(+), 92 deletions(-) rename staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/{pass/capabilities_restricted1.yaml => fail/capabilities_restricted3.yaml} (54%) diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml index ce75b89e2e0..baab0335a25 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml @@ -14,7 +14,9 @@ spec: name: initcontainer1 securityContext: allowPrivilegeEscalation: false - capabilities: {} + capabilities: + drop: + - ALL securityContext: runAsNonRoot: true seccompProfile: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml index e49cc77b36f..a48200bd93e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml @@ -10,87 +10,13 @@ spec: allowPrivilegeEscalation: false capabilities: drop: - - SYS_TIME - - SYS_MODULE - - SYS_RAWIO - - SYS_PACCT - - SYS_ADMIN - - SYS_NICE - - SYS_RESOURCE - - SYS_TIME - - SYS_TTY_CONFIG - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - - MAC_OVERRIDE - - MAC_ADMIN - - NET_ADMIN - - SYSLOG - - CHOWN - - NET_RAW - - DAC_OVERRIDE - - FOWNER - - DAC_READ_SEARCH - - FSETID - - KILL - - SETGID - - SETUID - - LINUX_IMMUTABLE - - NET_BIND_SERVICE - - NET_BROADCAST - - IPC_LOCK - - IPC_OWNER - - SYS_CHROOT - - SYS_PTRACE - - SYS_BOOT - - LEASE - - SETFCAP - - WAKE_ALARM - - BLOCK_SUSPEND + - ALL initContainers: - image: k8s.gcr.io/pause name: initcontainer1 securityContext: allowPrivilegeEscalation: false - capabilities: - drop: - - SYS_TIME - - SYS_MODULE - - SYS_RAWIO - - SYS_PACCT - - SYS_ADMIN - - SYS_NICE - - SYS_RESOURCE - - SYS_TIME - - SYS_TTY_CONFIG - - MKNOD - - AUDIT_WRITE - - AUDIT_CONTROL - - MAC_OVERRIDE - - MAC_ADMIN - - NET_ADMIN - - SYSLOG - - CHOWN - - NET_RAW - - DAC_OVERRIDE - - FOWNER - - DAC_READ_SEARCH - - FSETID - - KILL - - SETGID - - SETUID - - LINUX_IMMUTABLE - - NET_BIND_SERVICE - - NET_BROADCAST - - IPC_LOCK - - IPC_OWNER - - SYS_CHROOT - - SYS_PTRACE - - SYS_BOOT - - LEASE - - SETFCAP - - WAKE_ALARM - - BLOCK_SUSPEND + capabilities: {} securityContext: runAsNonRoot: true seccompProfile: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml index 582606acb86..994711fd4f6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml @@ -9,44 +9,88 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: - add: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG - CHOWN + - NET_RAW - DAC_OVERRIDE - FOWNER + - DAC_READ_SEARCH - FSETID - KILL - - MKNOD - - NET_BIND_SERVICE - - SETFCAP - SETGID - - SETPCAP - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER - SYS_CHROOT - drop: - - ALL + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND initContainers: - image: k8s.gcr.io/pause name: initcontainer1 securityContext: allowPrivilegeEscalation: false capabilities: - add: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG - CHOWN + - NET_RAW - DAC_OVERRIDE - FOWNER + - DAC_READ_SEARCH - FSETID - KILL - - MKNOD - - NET_BIND_SERVICE - - SETFCAP - SETGID - - SETPCAP - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER - SYS_CHROOT - drop: - - ALL + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND securityContext: runAsNonRoot: true seccompProfile: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml similarity index 54% rename from staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted1.yaml rename to staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml index af9260257e2..0a8bbe29efa 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Pod metadata: - name: capabilities_restricted1 + name: capabilities_restricted3 spec: containers: - image: k8s.gcr.io/pause @@ -10,7 +10,19 @@ spec: allowPrivilegeEscalation: false capabilities: add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT drop: - ALL initContainers: @@ -20,7 +32,19 @@ spec: allowPrivilegeEscalation: false capabilities: add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT drop: - ALL securityContext: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml index 4556dadd09c..46e12f62fc4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml @@ -9,6 +9,8 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: + add: + - NET_BIND_SERVICE drop: - ALL initContainers: @@ -17,6 +19,8 @@ spec: securityContext: allowPrivilegeEscalation: false capabilities: + add: + - NET_BIND_SERVICE drop: - ALL securityContext: