diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..fad76945b33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..314cc49cc9d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..2a8a9a23339 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7e2702d1c80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..a2ffd421b3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..011d3826820 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a41704fe7a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..2a451ec6fc7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/addcapabilities7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux0.yaml new file mode 100755 index 00000000000..a7a949fb2c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux1.yaml new file mode 100755 index 00000000000..f44633c8ab9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux2.yaml new file mode 100755 index 00000000000..c6ea8f1ccee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux3.yaml new file mode 100755 index 00000000000..3c697dcda21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux4.yaml new file mode 100755 index 00000000000..9290b5bb925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux5.yaml new file mode 100755 index 00000000000..00005ea86d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux6.yaml new file mode 100755 index 00000000000..1323b728e9f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux7.yaml new file mode 100755 index 00000000000..33514c7180b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux8.yaml new file mode 100755 index 00000000000..429c552f1c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..08af9d73edd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..d5c07bdb914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/addcapabilities1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/base.yaml new file mode 100755 index 00000000000..acd9c046ec7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux0.yaml new file mode 100755 index 00000000000..97fc26aba33 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux1.yaml new file mode 100755 index 00000000000..43c34db39f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux10.yaml new file mode 100755 index 00000000000..c6f38fc576a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux10.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux11.yaml new file mode 100755 index 00000000000..a822804f6ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux12.yaml new file mode 100755 index 00000000000..b1c68dc32ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux13.yaml new file mode 100755 index 00000000000..9eb78f0b6f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux13.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux14.yaml new file mode 100755 index 00000000000..65538ab2a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux15.yaml new file mode 100755 index 00000000000..0860e566de2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux15.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux16.yaml new file mode 100755 index 00000000000..dbc402e3c0f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux16.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux17.yaml new file mode 100755 index 00000000000..54f075db6c6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux17.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux18.yaml new file mode 100755 index 00000000000..d4e08b855a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux18.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux19.yaml new file mode 100755 index 00000000000..93750017a4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux19.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux2.yaml new file mode 100755 index 00000000000..c132fd27c9b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux20.yaml new file mode 100755 index 00000000000..69fde55ca14 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux20.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux3.yaml new file mode 100755 index 00000000000..c640b84c2d7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux4.yaml new file mode 100755 index 00000000000..d9bd3a68476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux4.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux5.yaml new file mode 100755 index 00000000000..37d9add6051 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux5.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux6.yaml new file mode 100755 index 00000000000..132c8eab9aa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux6.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux7.yaml new file mode 100755 index 00000000000..ad08ffeaa08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux7.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux8.yaml new file mode 100755 index 00000000000..99ab7059633 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux8.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux9.yaml new file mode 100755 index 00000000000..500d032e3d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/selinux9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..7d2a40aa16f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..4ce478cc101 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..e2ac69c257c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..7b8039471c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..c35f9bac810 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..750b776c0e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..a7c074252bc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..05e8355ab2e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/addcapabilities7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..0c718535423 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..a2c190cd5d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..7a7d85978a6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..0247a604640 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux0.yaml new file mode 100755 index 00000000000..363b8deb226 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux1.yaml new file mode 100755 index 00000000000..193ad4e87eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux2.yaml new file mode 100755 index 00000000000..537e193472d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux3.yaml new file mode 100755 index 00000000000..289dd23f9bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux4.yaml new file mode 100755 index 00000000000..878fd40a5ae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux5.yaml new file mode 100755 index 00000000000..89ea534e449 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux5.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux6.yaml new file mode 100755 index 00000000000..1d8f5da087d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux7.yaml new file mode 100755 index 00000000000..544f026b321 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux8.yaml new file mode 100755 index 00000000000..64fc5eba2a3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..3185a9f177b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..650b78e6671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/addcapabilities1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/base.yaml new file mode 100755 index 00000000000..aa0683c9292 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/base.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..5cb641d1bca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..4313f124ba0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..50b6eb3ab8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/runasnonroot2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux0.yaml new file mode 100755 index 00000000000..f12fef14392 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux1.yaml new file mode 100755 index 00000000000..7f04d1db606 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux10.yaml new file mode 100755 index 00000000000..72f933306fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux10.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux11.yaml new file mode 100755 index 00000000000..50dff0fc74f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux11.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux12.yaml new file mode 100755 index 00000000000..cf3a07d2cd5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux12.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux13.yaml new file mode 100755 index 00000000000..b32e3fab6a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux13.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux14.yaml new file mode 100755 index 00000000000..06af2b8960f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux14.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux15.yaml new file mode 100755 index 00000000000..08bdbba3046 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux16.yaml new file mode 100755 index 00000000000..53cfaea819a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux17.yaml new file mode 100755 index 00000000000..5c9d12d4442 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux17.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux18.yaml new file mode 100755 index 00000000000..08be2f6cafb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux18.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux19.yaml new file mode 100755 index 00000000000..a1e3ea1cb98 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux19.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux2.yaml new file mode 100755 index 00000000000..51ab535ab12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux20.yaml new file mode 100755 index 00000000000..4cd5be51506 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux20.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux3.yaml new file mode 100755 index 00000000000..15959503854 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux4.yaml new file mode 100755 index 00000000000..d7b44e06767 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux5.yaml new file mode 100755 index 00000000000..12f60be1691 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux6.yaml new file mode 100755 index 00000000000..68c7741f105 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux7.yaml new file mode 100755 index 00000000000..242ee6e1a58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux7.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux8.yaml new file mode 100755 index 00000000000..12839265d00 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux8.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux9.yaml new file mode 100755 index 00000000000..bbe871037c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/selinux9.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities0.yaml new file mode 100755 index 00000000000..8d989f6f2ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities1.yaml new file mode 100755 index 00000000000..92c51f1a671 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities2.yaml new file mode 100755 index 00000000000..f1decea46f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities3.yaml new file mode 100755 index 00000000000..23f4b98b35c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities4.yaml new file mode 100755 index 00000000000..270fd72f07d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities5.yaml new file mode 100755 index 00000000000..58e5bd93805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - bogus + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities6.yaml new file mode 100755 index 00000000000..935bbec6908 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities7.yaml new file mode 100755 index 00000000000..acb905603ef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/addcapabilities7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..f3835ccd458 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..2a63d4f945c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..f3eaa44ffef --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..981f2c97513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation4.yaml new file mode 100755 index 00000000000..6c21220c390 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation5.yaml new file mode 100755 index 00000000000..6c9c205114e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/allowprivilegeescalation5.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..333736b5ee5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..3d9fa196e3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: false diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..90fb05805ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..90d318e1a7c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot4.yaml new file mode 100755 index 00000000000..688e7988348 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/runasnonroot4.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux0.yaml new file mode 100755 index 00000000000..bfb4dde7008 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux1.yaml new file mode 100755 index 00000000000..b3be2791491 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux2.yaml new file mode 100755 index 00000000000..933d98f0afd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux3.yaml new file mode 100755 index 00000000000..236e6994069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux3.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux4.yaml new file mode 100755 index 00000000000..72bb1e246da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux5.yaml new file mode 100755 index 00000000000..054ed87df3b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + user: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux6.yaml new file mode 100755 index 00000000000..c7885b0e51b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux7.yaml new file mode 100755 index 00000000000..dc8abb1a8d9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux8.yaml new file mode 100755 index 00000000000..0f900bb42f0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + role: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities0.yaml new file mode 100755 index 00000000000..f28e384225c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities1.yaml new file mode 100755 index 00000000000..b4be8387110 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/addcapabilities1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: addcapabilities1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..b2a028c9622 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/allowprivilegeescalation0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/base.yaml new file mode 100755 index 00000000000..56b47e7f2f4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/base.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..7250230e275 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..7ba6345d0f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot2.yaml new file mode 100755 index 00000000000..27b53f0d805 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/runasnonroot2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux0.yaml new file mode 100755 index 00000000000..d914e0b00c8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux1.yaml new file mode 100755 index 00000000000..c391cd71474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux10.yaml new file mode 100755 index 00000000000..67d30aa7119 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux11.yaml new file mode 100755 index 00000000000..5e8e4299521 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux11.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_init_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux12.yaml new file mode 100755 index 00000000000..67150038291 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux12.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_kvm_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux13.yaml new file mode 100755 index 00000000000..2c44d9fd807 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux14.yaml new file mode 100755 index 00000000000..08d9789a6d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux14.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux15.yaml new file mode 100755 index 00000000000..6ab973f2a29 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux15.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux16.yaml new file mode 100755 index 00000000000..a51186318c9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux16.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux17.yaml new file mode 100755 index 00000000000..16c93576fb5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux18.yaml new file mode 100755 index 00000000000..6141503f43f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + level: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux19.yaml new file mode 100755 index 00000000000..2251561ecd0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux2.yaml new file mode 100755 index 00000000000..b8498cbc662 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux20.yaml new file mode 100755 index 00000000000..d5819531dcb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux20.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux20 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + level: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux3.yaml new file mode 100755 index 00000000000..54345a56a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux4.yaml new file mode 100755 index 00000000000..0274d5bbc5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux4.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux5.yaml new file mode 100755 index 00000000000..72b1c0818a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux5.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux6.yaml new file mode 100755 index 00000000000..9d0c703d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux6.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux7.yaml new file mode 100755 index 00000000000..5138c5cdcb2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux8.yaml new file mode 100755 index 00000000000..99fd076bed6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: + type: container_t + securityContext: + runAsNonRoot: true + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux9.yaml new file mode 100755 index 00000000000..b4c3e31d113 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/selinux9.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinux9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_init_t