github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 13:37:30 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurity: restricted capabilities: regenerate files

Browse Source
This commit is contained in:
Jordan Liggitt 2021-07-07 17:28:51 -04:00
parent f10dfc6e30
commit 62b71175e7
5 changed files with 92 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted0.yaml vendored
View File

@ -14,7 +14,9 @@ spec:
name: initcontainer1 name: initcontainer1
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: {} capabilities:
drop:
- ALL
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:

78
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted1.yaml vendored
View File

@ -10,87 +10,13 @@ spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
drop: drop:
- SYS_TIME - ALL
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
initContainers: initContainers:
- image: k8s.gcr.io/pause - image: k8s.gcr.io/pause
name: initcontainer1 name: initcontainer1
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities: {}
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:

72
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted2.yaml vendored
View File

@ -9,44 +9,88 @@ spec:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add: drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE - AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN - CHOWN
- NET_RAW
- DAC_OVERRIDE - DAC_OVERRIDE
- FOWNER - FOWNER
- DAC_READ_SEARCH
- FSETID - FSETID
- KILL - KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID - SETGID
- SETPCAP
- SETUID - SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT - SYS_CHROOT
drop: - SYS_PTRACE
- ALL - SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
initContainers: initContainers:
- image: k8s.gcr.io/pause - image: k8s.gcr.io/pause
name: initcontainer1 name: initcontainer1
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add: drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE - AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN - CHOWN
- NET_RAW
- DAC_OVERRIDE - DAC_OVERRIDE
- FOWNER - FOWNER
- DAC_READ_SEARCH
- FSETID - FSETID
- KILL - KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID - SETGID
- SETPCAP
- SETUID - SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT - SYS_CHROOT
drop: - SYS_PTRACE
- ALL - SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted1.yaml → staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/capabilities_restricted3.yaml vendored
View File

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: capabilities_restricted1 name: capabilities_restricted3
spec: spec:
containers: containers:
- image: k8s.gcr.io/pause - image: k8s.gcr.io/pause
@ -10,7 +10,19 @@ spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add: add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE - NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop: drop:
- ALL - ALL
initContainers: initContainers:
@ -20,7 +32,19 @@ spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add: add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE - NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop: drop:
- ALL - ALL
securityContext: securityContext:

4
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/capabilities_restricted0.yaml vendored
View File

@ -9,6 +9,8 @@ spec:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add:
- NET_BIND_SERVICE
drop: drop:
- ALL - ALL
initContainers: initContainers:
@ -17,6 +19,8 @@ spec:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
add:
- NET_BIND_SERVICE
drop: drop:
- ALL - ALL
securityContext: securityContext: