diff --git a/pkg/kubelet/sysctl/safe_sysctls.go b/pkg/kubelet/sysctl/safe_sysctls.go index 738846121ed..c182cb96cc2 100644 --- a/pkg/kubelet/sysctl/safe_sysctls.go +++ b/pkg/kubelet/sysctl/safe_sysctls.go @@ -16,17 +16,49 @@ limitations under the License. package sysctl +import ( + "k8s.io/apimachinery/pkg/util/version" + "k8s.io/klog/v2" + "k8s.io/kubernetes/pkg/proxy/ipvs" +) + +const ipLocalReservedPortsMinNamespacedKernelVersion = "3.16" + +var safeSysctls = []string{ + "kernel.shm_rmid_forced", + "net.ipv4.ip_local_port_range", + "net.ipv4.tcp_syncookies", + "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", +} + // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *). // // A sysctl is called safe iff // - it is namespaced in the container or the pod // - it is isolated, i.e. has no influence on any other pod on the same node. func SafeSysctlAllowlist() []string { + kernelVersionStr, err := ipvs.NewLinuxKernelHandler().GetKernelVersion() + if err != nil { + klog.ErrorS(err, "Failed to get kernel version.") + return safeSysctls + } + kernelVersion, err := version.ParseGeneric(kernelVersionStr) + if err != nil { + klog.ErrorS(err, "Failed to parse kernel version.") + return safeSysctls + } + // ip_local_reserved_ports has been changed to namesapced since kernel v3.16. + // refer to https://github.com/torvalds/linux/commit/122ff243f5f104194750ecbc76d5946dd1eec934. + if kernelVersion.LessThan(version.MustParseGeneric(ipLocalReservedPortsMinNamespacedKernelVersion)) { + return safeSysctls + } return []string{ "kernel.shm_rmid_forced", "net.ipv4.ip_local_port_range", "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", "net.ipv4.ip_unprivileged_port_start", + "net.ipv4.ip_local_reserved_ports", } } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go index 63fb07e9173..95c5eff286a 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go @@ -42,6 +42,7 @@ spec.securityContext.sysctls[*].name 'net.ipv4.tcp_syncookies' 'net.ipv4.ping_group_range' 'net.ipv4.ip_unprivileged_port_start' +'net.ipv4.ip_local_reserved_ports' */ @@ -60,6 +61,10 @@ func CheckSysctls() Check { MinimumVersion: api.MajorMinorVersion(1, 0), CheckPod: sysctls_1_0, }, + { + MinimumVersion: api.MajorMinorVersion(1, 27), + CheckPod: sysctls_1_27, + }, }, } } @@ -72,14 +77,30 @@ var ( "net.ipv4.ping_group_range", "net.ipv4.ip_unprivileged_port_start", ) + sysctls_allowed_1_27 = sets.NewString( + "kernel.shm_rmid_forced", + "net.ipv4.ip_local_port_range", + "net.ipv4.tcp_syncookies", + "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", + "net.ipv4.ip_local_reserved_ports", + ) ) func sysctls_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + return sysctls(podMetadata, podSpec, sysctls_allowed_1_0) +} + +func sysctls_1_27(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + return sysctls(podMetadata, podSpec, sysctls_allowed_1_27) +} + +func sysctls(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, sysctls_allowed_set sets.String) CheckResult { var forbiddenSysctls []string if podSpec.SecurityContext != nil { for _, sysctl := range podSpec.SecurityContext.Sysctls { - if !sysctls_allowed_1_0.Has(sysctl.Name) { + if !sysctls_allowed_set.Has(sysctl.Name) { forbiddenSysctls = append(forbiddenSysctls, sysctl.Name) } } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go index 450b383146e..b1940d77252 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls_test.go @@ -26,6 +26,7 @@ func TestSysctls(t *testing.T) { tests := []struct { name string pod *corev1.Pod + allowed bool expectReason string expectDetail string }{ @@ -36,22 +37,92 @@ func TestSysctls(t *testing.T) { Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}}, }, }}, + allowed: false, expectReason: `forbidden sysctls`, expectDetail: `a, b`, }, + { + name: "new supported sysctls not supported", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"}}, + }, + }}, + allowed: false, + expectReason: `forbidden sysctls`, + expectDetail: `net.ipv4.ip_local_reserved_ports`, + }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { result := sysctls_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) - if result.Allowed { - t.Fatal("expected disallowed") - } - if e, a := tc.expectReason, result.ForbiddenReason; e != a { - t.Errorf("expected\n%s\ngot\n%s", e, a) - } - if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { - t.Errorf("expected\n%s\ngot\n%s", e, a) + if !tc.allowed { + if result.Allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + } else { + if !result.Allowed { + t.Fatal("expected allowed") + } + } + }) + } +} + +func TestSysctls_1_27(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + allowed bool + expectReason string + expectDetail string + }{ + { + name: "forbidden sysctls", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "a"}, {Name: "b"}}, + }, + }}, + allowed: false, + expectReason: `forbidden sysctls`, + expectDetail: `a, b`, + }, + { + name: "new supported sysctls", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{ + Sysctls: []corev1.Sysctl{{Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"}}, + }, + }}, + allowed: true, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := sysctls_1_27(&tc.pod.ObjectMeta, &tc.pod.Spec) + if !tc.allowed { + if result.Allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + } else { + if !result.Allowed { + t.Fatal("expected allowed") + } } }) } diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go index a348224e56d..dd3f0ccdd51 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_sysctls.go @@ -70,4 +70,45 @@ func init() { fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "sysctls"}, fixtureData_1_0, ) + fixtureData_1_27 := fixtureGenerator{ + expectErrorSubstring: "forbidden sysctl", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + if p.Spec.SecurityContext == nil { + p.Spec.SecurityContext = &corev1.PodSecurityContext{} + } + return []*corev1.Pod{ + // security context with no sysctls + tweak(p, func(p *corev1.Pod) { p.Spec.SecurityContext.Sysctls = nil }), + // sysctls with name="kernel.shm_rmid_forced" ,"net.ipv4.ip_local_port_range" + // "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", + // "net.ipv4.ip_unprivileged_port_start", "net.ipv4.ip_local_reserved_ports" + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{ + {Name: "kernel.shm_rmid_forced", Value: "0"}, + {Name: "net.ipv4.ip_local_port_range", Value: "1024 65535"}, + {Name: "net.ipv4.tcp_syncookies", Value: "0"}, + {Name: "net.ipv4.ping_group_range", Value: "1 0"}, + {Name: "net.ipv4.ip_unprivileged_port_start", Value: "1024"}, + {Name: "net.ipv4.ip_local_reserved_ports", Value: "1024-4999"}, + } + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + if p.Spec.SecurityContext == nil { + p.Spec.SecurityContext = &corev1.PodSecurityContext{} + } + return []*corev1.Pod{ + // sysctls with out of allowed name + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.Sysctls = []corev1.Sysctl{{Name: "othersysctl", Value: "other"}} + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 27), check: "sysctls"}, + fixtureData_1_27, + ) } diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go index 3c1fdd81938..a10432b6de8 100644 --- a/staging/src/k8s.io/pod-security-admission/test/run.go +++ b/staging/src/k8s.io/pod-security-admission/test/run.go @@ -37,8 +37,8 @@ import ( ) const ( - newestMinorVersionToTest = 25 - podOSBasedRestrictionEnabledVersion = 25 + newestMinorVersionToTest = 27 + podOSBasedRestrictionEnabledVersion = 27 ) // Options hold configuration for running integration tests against an existing server. diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..87475d347dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..5940a639ec4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..e01a9dece8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..92239d17896 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..089d8c184c2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..4befa1edbea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..1c4ca9a560a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..7967a6d50a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..00039668cd2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..7f026136fae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..382d27f4f49 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports0.yaml new file mode 100755 index 00000000000..ebfdcd48d0d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports1.yaml new file mode 100755 index 00000000000..d9a2b97af3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports2.yaml new file mode 100755 index 00000000000..61b3388f0a7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged0.yaml new file mode 100755 index 00000000000..e5cc7b94fdd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged1.yaml new file mode 100755 index 00000000000..31935b9955c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount0.yaml new file mode 100755 index 00000000000..5e47a75fde5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount1.yaml new file mode 100755 index 00000000000..accf6c3d7fe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..f455958da82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..8a86112acd1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..21822558178 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..f3307078cd7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..6629d05efc4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..65876a92b61 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..71d89fbe572 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..74e05cbb709 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/sysctls0.yaml new file mode 100755 index 00000000000..81508d69e60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..1e506b1f803 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..1a9d3e94a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..213a6a6c411 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/base.yaml new file mode 100755 index 00000000000..387a4be3170 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/capabilities_baseline0.yaml new file mode 100755 index 00000000000..df93c1cd652 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/hostports0.yaml new file mode 100755 index 00000000000..61fddccdbbe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/privileged0.yaml new file mode 100755 index 00000000000..0b64b687c7a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/procmount0.yaml new file mode 100755 index 00000000000..e75080af28a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..2e05d163254 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..dafa4dbc3de --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..a2688f5c23e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls0.yaml new file mode 100755 index 00000000000..2148dc0867e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls1.yaml new file mode 100755 index 00000000000..ad69dea871f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.26/pass/sysctls1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..87475d347dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..5940a639ec4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..e01a9dece8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..92239d17896 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..089d8c184c2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..4befa1edbea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..1c4ca9a560a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..7967a6d50a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..00039668cd2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..7f026136fae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..382d27f4f49 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports0.yaml new file mode 100755 index 00000000000..ebfdcd48d0d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports1.yaml new file mode 100755 index 00000000000..d9a2b97af3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports2.yaml new file mode 100755 index 00000000000..61b3388f0a7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged0.yaml new file mode 100755 index 00000000000..e5cc7b94fdd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged1.yaml new file mode 100755 index 00000000000..31935b9955c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount0.yaml new file mode 100755 index 00000000000..5e47a75fde5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount1.yaml new file mode 100755 index 00000000000..accf6c3d7fe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..f455958da82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..8a86112acd1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..21822558178 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..f3307078cd7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..6629d05efc4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..65876a92b61 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..71d89fbe572 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..74e05cbb709 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/sysctls0.yaml new file mode 100755 index 00000000000..81508d69e60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..1e506b1f803 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..1a9d3e94a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..213a6a6c411 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/base.yaml new file mode 100755 index 00000000000..387a4be3170 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/capabilities_baseline0.yaml new file mode 100755 index 00000000000..df93c1cd652 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/hostports0.yaml new file mode 100755 index 00000000000..61fddccdbbe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/privileged0.yaml new file mode 100755 index 00000000000..0b64b687c7a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/procmount0.yaml new file mode 100755 index 00000000000..e75080af28a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..2e05d163254 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..dafa4dbc3de --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..a2688f5c23e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls0.yaml new file mode 100755 index 00000000000..2148dc0867e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls1.yaml new file mode 100755 index 00000000000..0ab1ea65ce4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.27/pass/sysctls1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..837b55acc95 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..61894665579 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..9302cc63494 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..083ce350f4e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..14de67ea27c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..0e4313b5421 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..2be0164f3e1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..f68d6b38830 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..702bd87de6e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..3e6aa463175 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted0.yaml new file mode 100755 index 00000000000..857c11b86bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted1.yaml new file mode 100755 index 00000000000..9c987673a0a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted2.yaml new file mode 100755 index 00000000000..be25f6aeac1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted3.yaml new file mode 100755 index 00000000000..517cc3cbc20 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..c1a7b7a4ba9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..caa294e373c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..32350899785 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..86745e64a08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..bc7759c2036 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports0.yaml new file mode 100755 index 00000000000..9bf9055d9ee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports1.yaml new file mode 100755 index 00000000000..ddecbf4925d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports2.yaml new file mode 100755 index 00000000000..ed9f6920981 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged0.yaml new file mode 100755 index 00000000000..7ad39f5c045 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged1.yaml new file mode 100755 index 00000000000..cb41dcb3aa4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount0.yaml new file mode 100755 index 00000000000..bd1b35c65be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount1.yaml new file mode 100755 index 00000000000..631fae1369e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/procmount1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..5a95336d269 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..153326fea89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..f34afe69ca8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..384e06f6b23 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..8757fbf7fb4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..9e2086df359 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..d8b9605e4d1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..f3462ab7f43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..d83daa6fcb1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..23f6b770e46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..ca5d93f57fd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..4ca4381bec9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..9154458079c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..f1060bc3551 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..3a1447417e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..e64cbe9ab50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..4d596c9e415 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..c3887a35c12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..e11afbbe8ec --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..8159a4858b9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..f460f659d94 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..285409793ea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..067c7970fa7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..5459f294e0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser0.yaml new file mode 100755 index 00000000000..5f7c9e0f005 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser1.yaml new file mode 100755 index 00000000000..ff62334ead6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser2.yaml new file mode 100755 index 00000000000..26c713497d0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..0b875ce5f01 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..3e63c31668c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..4cd99407164 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..64b5604b5a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..2ec3d48dfb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..c63c622a6ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted3.yaml new file mode 100755 index 00000000000..69c969f8a68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted4.yaml new file mode 100755 index 00000000000..b17bf7648e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..7135bb20b8e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..c99b8a5ed4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..f2eafc2512b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..1da063ebd1f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..a4a38fb6034 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/sysctls0.yaml new file mode 100755 index 00000000000..841f73d238f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..4262e6a5b82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..ba1ce4a472f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..53ebdaa0139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/base.yaml new file mode 100755 index 00000000000..3b4f3077dcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/capabilities_restricted0.yaml new file mode 100755 index 00000000000..8a70cb3efdb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/hostports0.yaml new file mode 100755 index 00000000000..e7f11535894 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/privileged0.yaml new file mode 100755 index 00000000000..8e3aafdd8f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/procmount0.yaml new file mode 100755 index 00000000000..aacd7351a8a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..a11722485c5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..414ac79b469 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..549b013e53f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasuser0.yaml new file mode 100755 index 00000000000..ed7aff0fa12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..f904065ce46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..5a60fd7c59b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..39d68e386b6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..a45080b7425 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..0a8365605e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls0.yaml new file mode 100755 index 00000000000..84224ffa94d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls1.yaml new file mode 100755 index 00000000000..4b0b40743c5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.26/pass/sysctls1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..837b55acc95 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..61894665579 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..9302cc63494 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..083ce350f4e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..14de67ea27c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..0e4313b5421 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..2be0164f3e1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..f68d6b38830 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..702bd87de6e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..3e6aa463175 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted0.yaml new file mode 100755 index 00000000000..857c11b86bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted1.yaml new file mode 100755 index 00000000000..9c987673a0a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted2.yaml new file mode 100755 index 00000000000..be25f6aeac1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted3.yaml new file mode 100755 index 00000000000..517cc3cbc20 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..c1a7b7a4ba9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..caa294e373c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..32350899785 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..86745e64a08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..bc7759c2036 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports0.yaml new file mode 100755 index 00000000000..9bf9055d9ee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports1.yaml new file mode 100755 index 00000000000..ddecbf4925d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports2.yaml new file mode 100755 index 00000000000..ed9f6920981 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged0.yaml new file mode 100755 index 00000000000..7ad39f5c045 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged1.yaml new file mode 100755 index 00000000000..cb41dcb3aa4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount0.yaml new file mode 100755 index 00000000000..bd1b35c65be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount1.yaml new file mode 100755 index 00000000000..631fae1369e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/procmount1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..5a95336d269 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..153326fea89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..f34afe69ca8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..384e06f6b23 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..8757fbf7fb4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..9e2086df359 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..d8b9605e4d1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..f3462ab7f43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..d83daa6fcb1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..23f6b770e46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..ca5d93f57fd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..4ca4381bec9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..9154458079c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..f1060bc3551 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..3a1447417e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..e64cbe9ab50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..4d596c9e415 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..c3887a35c12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..e11afbbe8ec --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..8159a4858b9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..f460f659d94 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..285409793ea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..067c7970fa7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..5459f294e0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser0.yaml new file mode 100755 index 00000000000..5f7c9e0f005 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser1.yaml new file mode 100755 index 00000000000..ff62334ead6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser2.yaml new file mode 100755 index 00000000000..26c713497d0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..0b875ce5f01 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..3e63c31668c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..4cd99407164 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..64b5604b5a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..2ec3d48dfb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..c63c622a6ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted3.yaml new file mode 100755 index 00000000000..69c969f8a68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted4.yaml new file mode 100755 index 00000000000..b17bf7648e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..7135bb20b8e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..c99b8a5ed4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..f2eafc2512b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..1da063ebd1f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..a4a38fb6034 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/sysctls0.yaml new file mode 100755 index 00000000000..841f73d238f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..4262e6a5b82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..ba1ce4a472f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..53ebdaa0139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base.yaml new file mode 100755 index 00000000000..3b4f3077dcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base_linux.yaml similarity index 100% rename from staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml rename to staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base_linux.yaml diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base_windows.yaml similarity index 100% rename from staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml rename to staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/base_windows.yaml diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/capabilities_restricted0.yaml new file mode 100755 index 00000000000..8a70cb3efdb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/hostports0.yaml new file mode 100755 index 00000000000..e7f11535894 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/privileged0.yaml new file mode 100755 index 00000000000..8e3aafdd8f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/procmount0.yaml new file mode 100755 index 00000000000..aacd7351a8a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..a11722485c5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..414ac79b469 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..549b013e53f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasuser0.yaml new file mode 100755 index 00000000000..ed7aff0fa12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..f904065ce46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..5a60fd7c59b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..39d68e386b6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..a45080b7425 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..0a8365605e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls0.yaml new file mode 100755 index 00000000000..84224ffa94d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls1.yaml new file mode 100755 index 00000000000..29c925b97d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.27/pass/sysctls1.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999