Merge pull request #103340 from MadhavJivrajani/proc-mount-baseline

Add baseline check for procMount type
This commit is contained in:
Kubernetes Prow Robot 2021-07-01 09:50:07 -07:00 committed by GitHub
commit e5135985fa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
140 changed files with 2417 additions and 0 deletions

View File

@ -0,0 +1,80 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"fmt"
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/validation/field"
"k8s.io/pod-security-admission/api"
)
func init() {
addCheck(CheckProcMount)
}
// CheckProcMount returns a baseline level check that restricts
// setting the value of securityContext.procMount to DefaultProcMount
// in 1.0+
func CheckProcMount() Check {
return Check{
ID: "procMount",
Level: api.LevelBaseline,
Versions: []VersionedCheck{
{
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: checkProcMount_1_0,
},
},
}
}
func checkProcMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
forbiddenContainers := sets.NewString()
forbiddenProcMountTypes := sets.NewString()
visitContainersWithPath(podSpec, field.NewPath("spec"), func(container *corev1.Container, path *field.Path) {
// allow if the security context is nil.
if container.SecurityContext == nil {
return
}
// allow if proc mount is not set.
if container.SecurityContext.ProcMount == nil {
return
}
// check if the value of the proc mount type is valid.
if *container.SecurityContext.ProcMount != v1.DefaultProcMount {
forbiddenContainers.Insert(container.Name)
forbiddenProcMountTypes.Insert(string(*container.SecurityContext.ProcMount))
}
})
if len(forbiddenContainers) > 0 {
return CheckResult{
Allowed: false,
ForbiddenReason: "forbidden procMount",
ForbiddenDetail: fmt.Sprintf(
"containers %q have forbidden procMount types %q",
forbiddenContainers.List(),
forbiddenProcMountTypes.List(),
),
}
}
return CheckResult{Allowed: true}
}

View File

@ -0,0 +1,62 @@
/*
Copyright 2021 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package test
import (
corev1 "k8s.io/api/core/v1"
v1 "k8s.io/api/core/v1"
"k8s.io/component-base/featuregate"
"k8s.io/pod-security-admission/api"
)
func init() {
fixtureData_1_0 := fixtureGenerator{
expectErrorSubstring: "forbidden procMount",
generatePass: func(p *v1.Pod) []*v1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container and init container to a valid value
tweak(p, func(copy *v1.Pod) {
validProcMountType := v1.DefaultProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
}),
}
},
failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
generateFail: func(p *v1.Pod) []*v1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container to a forbidden value
tweak(p, func(copy *v1.Pod) {
inValidProcMountType := v1.UnmaskedProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &inValidProcMountType
}),
// set proc mount of init container to a forbidden value
tweak(p, func(copy *v1.Pod) {
inValidProcMountType := v1.UnmaskedProcMount
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &inValidProcMountType
}),
}
},
}
registerFixtureGenerator(
fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"},
fixtureData_1_0,
)
}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Default
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
securityContext:
runAsNonRoot: true

View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
procMount: Unmasked
securityContext:
runAsNonRoot: true

Some files were not shown because too many files have changed in this diff Show More