From f0ffba75ad548309fde632a749433c6f0f7bf05c Mon Sep 17 00:00:00 2001 From: Madhav Jivrajani Date: Wed, 30 Jun 2021 11:29:00 +0530 Subject: [PATCH] Add baseline check for procMount type - Will not allow if a container (init or not) sets the proc mount type to anything other than `Default` - Include fixture for proc mount baseline generation and the consequent genreated test data Signed-off-by: Madhav Jivrajani --- .../policy/check_procMount.go | 80 +++++++++++++++++++ .../test/fixtures_procMount.go | 62 ++++++++++++++ .../baseline/v1.0/fail/procmount0.yaml | 15 ++++ .../baseline/v1.0/fail/procmount1.yaml | 15 ++++ .../baseline/v1.0/pass/procmount0.yaml | 16 ++++ .../baseline/v1.1/fail/procmount0.yaml | 15 ++++ .../baseline/v1.1/fail/procmount1.yaml | 15 ++++ .../baseline/v1.1/pass/procmount0.yaml | 16 ++++ .../baseline/v1.10/fail/procmount0.yaml | 15 ++++ .../baseline/v1.10/fail/procmount1.yaml | 15 ++++ .../baseline/v1.10/pass/procmount0.yaml | 16 ++++ .../baseline/v1.11/fail/procmount0.yaml | 15 ++++ .../baseline/v1.11/fail/procmount1.yaml | 15 ++++ .../baseline/v1.11/pass/procmount0.yaml | 16 ++++ .../baseline/v1.12/fail/procmount0.yaml | 15 ++++ .../baseline/v1.12/fail/procmount1.yaml | 15 ++++ .../baseline/v1.12/pass/procmount0.yaml | 16 ++++ .../baseline/v1.13/fail/procmount0.yaml | 15 ++++ .../baseline/v1.13/fail/procmount1.yaml | 15 ++++ .../baseline/v1.13/pass/procmount0.yaml | 16 ++++ .../baseline/v1.14/fail/procmount0.yaml | 15 ++++ .../baseline/v1.14/fail/procmount1.yaml | 15 ++++ .../baseline/v1.14/pass/procmount0.yaml | 16 ++++ .../baseline/v1.15/fail/procmount0.yaml | 15 ++++ .../baseline/v1.15/fail/procmount1.yaml | 15 ++++ .../baseline/v1.15/pass/procmount0.yaml | 16 ++++ .../baseline/v1.16/fail/procmount0.yaml | 15 ++++ .../baseline/v1.16/fail/procmount1.yaml | 15 ++++ .../baseline/v1.16/pass/procmount0.yaml | 16 ++++ .../baseline/v1.17/fail/procmount0.yaml | 15 ++++ .../baseline/v1.17/fail/procmount1.yaml | 15 ++++ .../baseline/v1.17/pass/procmount0.yaml | 16 ++++ .../baseline/v1.18/fail/procmount0.yaml | 15 ++++ .../baseline/v1.18/fail/procmount1.yaml | 15 ++++ .../baseline/v1.18/pass/procmount0.yaml | 16 ++++ .../baseline/v1.19/fail/procmount0.yaml | 15 ++++ .../baseline/v1.19/fail/procmount1.yaml | 15 ++++ .../baseline/v1.19/pass/procmount0.yaml | 16 ++++ .../baseline/v1.2/fail/procmount0.yaml | 15 ++++ .../baseline/v1.2/fail/procmount1.yaml | 15 ++++ .../baseline/v1.2/pass/procmount0.yaml | 16 ++++ .../baseline/v1.20/fail/procmount0.yaml | 15 ++++ .../baseline/v1.20/fail/procmount1.yaml | 15 ++++ .../baseline/v1.20/pass/procmount0.yaml | 16 ++++ .../baseline/v1.21/fail/procmount0.yaml | 15 ++++ .../baseline/v1.21/fail/procmount1.yaml | 15 ++++ .../baseline/v1.21/pass/procmount0.yaml | 16 ++++ .../baseline/v1.22/fail/procmount0.yaml | 15 ++++ .../baseline/v1.22/fail/procmount1.yaml | 15 ++++ .../baseline/v1.22/pass/procmount0.yaml | 16 ++++ .../baseline/v1.3/fail/procmount0.yaml | 15 ++++ .../baseline/v1.3/fail/procmount1.yaml | 15 ++++ .../baseline/v1.3/pass/procmount0.yaml | 16 ++++ .../baseline/v1.4/fail/procmount0.yaml | 15 ++++ .../baseline/v1.4/fail/procmount1.yaml | 15 ++++ .../baseline/v1.4/pass/procmount0.yaml | 16 ++++ .../baseline/v1.5/fail/procmount0.yaml | 15 ++++ .../baseline/v1.5/fail/procmount1.yaml | 15 ++++ .../baseline/v1.5/pass/procmount0.yaml | 16 ++++ .../baseline/v1.6/fail/procmount0.yaml | 15 ++++ .../baseline/v1.6/fail/procmount1.yaml | 15 ++++ .../baseline/v1.6/pass/procmount0.yaml | 16 ++++ .../baseline/v1.7/fail/procmount0.yaml | 15 ++++ .../baseline/v1.7/fail/procmount1.yaml | 15 ++++ .../baseline/v1.7/pass/procmount0.yaml | 16 ++++ .../baseline/v1.8/fail/procmount0.yaml | 15 ++++ .../baseline/v1.8/fail/procmount1.yaml | 15 ++++ .../baseline/v1.8/pass/procmount0.yaml | 16 ++++ .../baseline/v1.9/fail/procmount0.yaml | 15 ++++ .../baseline/v1.9/fail/procmount1.yaml | 15 ++++ .../baseline/v1.9/pass/procmount0.yaml | 16 ++++ .../restricted/v1.0/fail/procmount0.yaml | 16 ++++ .../restricted/v1.0/fail/procmount1.yaml | 16 ++++ .../restricted/v1.0/pass/procmount0.yaml | 17 ++++ .../restricted/v1.1/fail/procmount0.yaml | 16 ++++ .../restricted/v1.1/fail/procmount1.yaml | 16 ++++ .../restricted/v1.1/pass/procmount0.yaml | 17 ++++ .../restricted/v1.10/fail/procmount0.yaml | 18 +++++ .../restricted/v1.10/fail/procmount1.yaml | 18 +++++ .../restricted/v1.10/pass/procmount0.yaml | 19 +++++ .../restricted/v1.11/fail/procmount0.yaml | 18 +++++ .../restricted/v1.11/fail/procmount1.yaml | 18 +++++ .../restricted/v1.11/pass/procmount0.yaml | 19 +++++ .../restricted/v1.12/fail/procmount0.yaml | 18 +++++ .../restricted/v1.12/fail/procmount1.yaml | 18 +++++ .../restricted/v1.12/pass/procmount0.yaml | 19 +++++ .../restricted/v1.13/fail/procmount0.yaml | 18 +++++ .../restricted/v1.13/fail/procmount1.yaml | 18 +++++ .../restricted/v1.13/pass/procmount0.yaml | 19 +++++ .../restricted/v1.14/fail/procmount0.yaml | 18 +++++ .../restricted/v1.14/fail/procmount1.yaml | 18 +++++ .../restricted/v1.14/pass/procmount0.yaml | 19 +++++ .../restricted/v1.15/fail/procmount0.yaml | 18 +++++ .../restricted/v1.15/fail/procmount1.yaml | 18 +++++ .../restricted/v1.15/pass/procmount0.yaml | 19 +++++ .../restricted/v1.16/fail/procmount0.yaml | 18 +++++ .../restricted/v1.16/fail/procmount1.yaml | 18 +++++ .../restricted/v1.16/pass/procmount0.yaml | 19 +++++ .../restricted/v1.17/fail/procmount0.yaml | 18 +++++ .../restricted/v1.17/fail/procmount1.yaml | 18 +++++ .../restricted/v1.17/pass/procmount0.yaml | 19 +++++ .../restricted/v1.18/fail/procmount0.yaml | 18 +++++ .../restricted/v1.18/fail/procmount1.yaml | 18 +++++ .../restricted/v1.18/pass/procmount0.yaml | 19 +++++ .../restricted/v1.19/fail/procmount0.yaml | 18 +++++ .../restricted/v1.19/fail/procmount1.yaml | 18 +++++ .../restricted/v1.19/pass/procmount0.yaml | 19 +++++ .../restricted/v1.2/fail/procmount0.yaml | 16 ++++ .../restricted/v1.2/fail/procmount1.yaml | 16 ++++ .../restricted/v1.2/pass/procmount0.yaml | 17 ++++ .../restricted/v1.20/fail/procmount0.yaml | 18 +++++ .../restricted/v1.20/fail/procmount1.yaml | 18 +++++ .../restricted/v1.20/pass/procmount0.yaml | 19 +++++ .../restricted/v1.21/fail/procmount0.yaml | 18 +++++ .../restricted/v1.21/fail/procmount1.yaml | 18 +++++ .../restricted/v1.21/pass/procmount0.yaml | 19 +++++ .../restricted/v1.22/fail/procmount0.yaml | 18 +++++ .../restricted/v1.22/fail/procmount1.yaml | 18 +++++ .../restricted/v1.22/pass/procmount0.yaml | 19 +++++ .../restricted/v1.3/fail/procmount0.yaml | 16 ++++ .../restricted/v1.3/fail/procmount1.yaml | 16 ++++ .../restricted/v1.3/pass/procmount0.yaml | 17 ++++ .../restricted/v1.4/fail/procmount0.yaml | 16 ++++ .../restricted/v1.4/fail/procmount1.yaml | 16 ++++ .../restricted/v1.4/pass/procmount0.yaml | 17 ++++ .../restricted/v1.5/fail/procmount0.yaml | 16 ++++ .../restricted/v1.5/fail/procmount1.yaml | 16 ++++ .../restricted/v1.5/pass/procmount0.yaml | 17 ++++ .../restricted/v1.6/fail/procmount0.yaml | 16 ++++ .../restricted/v1.6/fail/procmount1.yaml | 16 ++++ .../restricted/v1.6/pass/procmount0.yaml | 17 ++++ .../restricted/v1.7/fail/procmount0.yaml | 16 ++++ .../restricted/v1.7/fail/procmount1.yaml | 16 ++++ .../restricted/v1.7/pass/procmount0.yaml | 17 ++++ .../restricted/v1.8/fail/procmount0.yaml | 18 +++++ .../restricted/v1.8/fail/procmount1.yaml | 18 +++++ .../restricted/v1.8/pass/procmount0.yaml | 19 +++++ .../restricted/v1.9/fail/procmount0.yaml | 18 +++++ .../restricted/v1.9/fail/procmount1.yaml | 18 +++++ .../restricted/v1.9/pass/procmount0.yaml | 19 +++++ 140 files changed, 2417 insertions(+) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_procMount.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/procmount0.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go new file mode 100644 index 00000000000..c07dd0014a2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go @@ -0,0 +1,80 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/pod-security-admission/api" +) + +func init() { + addCheck(CheckProcMount) +} + +// CheckProcMount returns a baseline level check that restricts +// setting the value of securityContext.procMount to DefaultProcMount +// in 1.0+ +func CheckProcMount() Check { + return Check{ + ID: "procMount", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: checkProcMount_1_0, + }, + }, + } +} + +func checkProcMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + forbiddenContainers := sets.NewString() + forbiddenProcMountTypes := sets.NewString() + visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) { + // allow if the security context is nil. + if container.SecurityContext == nil { + return + } + // allow if proc mount is not set. + if container.SecurityContext.ProcMount == nil { + return + } + // check if the value of the proc mount type is valid. + if *container.SecurityContext.ProcMount != v1.DefaultProcMount { + forbiddenContainers.Insert(container.Name) + forbiddenProcMountTypes.Insert(string(*container.SecurityContext.ProcMount)) + } + }) + if len(forbiddenContainers) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "forbidden procMount", + ForbiddenDetail: fmt.Sprintf( + "containers %q have forbidden procMount types %q", + forbiddenContainers.List(), + forbiddenProcMountTypes.List(), + ), + } + } + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go new file mode 100644 index 00000000000..83ad61ee956 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go @@ -0,0 +1,62 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/api/core/v1" + "k8s.io/component-base/featuregate" + "k8s.io/pod-security-admission/api" +) + +func init() { + fixtureData_1_0 := fixtureGenerator{ + expectErrorSubstring: "forbidden procMount", + generatePass: func(p *v1.Pod) []*v1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container and init container to a valid value + tweak(p, func(copy *v1.Pod) { + validProcMountType := v1.DefaultProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType + }), + } + }, + failRequiresFeatures: []featuregate.Feature{"ProcMountType"}, + generateFail: func(p *v1.Pod) []*v1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container to a forbidden value + tweak(p, func(copy *v1.Pod) { + inValidProcMountType := v1.UnmaskedProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &inValidProcMountType + }), + // set proc mount of init container to a forbidden value + tweak(p, func(copy *v1.Pod) { + inValidProcMountType := v1.UnmaskedProcMount + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &inValidProcMountType + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount0.yaml new file mode 100755 index 00000000000..5848806ee43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount1.yaml new file mode 100755 index 00000000000..c802fb84617 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/procmount0.yaml new file mode 100755 index 00000000000..70345187f9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount0.yaml new file mode 100755 index 00000000000..3d38e0116c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount1.yaml new file mode 100755 index 00000000000..c774950551d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/procmount0.yaml new file mode 100755 index 00000000000..e4652537ab1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount0.yaml new file mode 100755 index 00000000000..c810b36721c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount1.yaml new file mode 100755 index 00000000000..a5fb64c359d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/procmount1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Unmasked + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/procmount0.yaml new file mode 100755 index 00000000000..0fd9424c3da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/procmount0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + procMount: Default + securityContext: + runAsNonRoot: true