github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-02-22 15:19:12 +00:00
Code Issues Projects Releases Wiki Activity

drop UserNamespacesPodSecurityStandards feature gate

Browse Source 
this feature gate was meant to be ephemeral, and only was used for guaranteeing a
cluster admin didn't accidentally relax PSA policies before the kubelet would deny a pod
was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version
skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this.

Now, we can unconditionally relax PSA policy if a pod is in a user namespace.

This PR reserves older policies default behavior by never relaxing

Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
Peter Hunt
2025-06-06 15:30:10 -04:00
parent 31f83cdf2b
commit e8bd3f629d
166 changed files with 3961 additions and 167 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/features/kube_features.go
View File

@@ -984,17 +984,6 @@ const (
// Proxies client to an apiserver capable of serving the request in the event of version skew.
UnknownVersionInteroperabilityProxy featuregate.Feature = "UnknownVersionInteroperabilityProxy"
// owner: @saschagrunert
//
// Enables user namespace support for Pod Security Standards. Enabling this
// feature will modify all Pod Security Standard rules to allow setting:
// spec[.*].securityContext.[runAsNonRoot,runAsUser]
// This feature gate should only be enabled if all nodes in the cluster
// support the user namespace feature and have it enabled. The feature gate
// will not graduate or be enabled by default in future Kubernetes
// releases.
UserNamespacesPodSecurityStandards featuregate.Feature = "UserNamespacesPodSecurityStandards"
// owner: @rata, @giuseppe
// kep: https://kep.k8s.io/127
//
@@ -1751,10 +1740,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
},
UserNamespacesPodSecurityStandards: {
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
},
UserNamespacesSupport: {
{Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha},
{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
@@ -2295,8 +2280,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature
UnknownVersionInteroperabilityProxy: {},
UserNamespacesPodSecurityStandards: {},
UserNamespacesSupport: {},
VolumeAttributesClass: {},

12
plugin/pkg/admission/security/podsecurity/admission.go
View File

@@ -27,7 +27,6 @@ import (
_ "k8s.io/kubernetes/pkg/apis/apps/install"
_ "k8s.io/kubernetes/pkg/apis/batch/install"
_ "k8s.io/kubernetes/pkg/apis/core/install"
"k8s.io/kubernetes/pkg/features"
admissionv1 "k8s.io/api/admission/v1"
appsv1 "k8s.io/api/apps/v1"
@@ -44,7 +43,6 @@ import (
"k8s.io/client-go/kubernetes"
corev1listers "k8s.io/client-go/listers/core/v1"
"k8s.io/component-base/compatibility"
"k8s.io/component-base/featuregate"
"k8s.io/component-base/metrics/legacyregistry"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/apps"
@@ -71,8 +69,6 @@ func Register(plugins *admission.Plugins) {
type Plugin struct {
*admission.Handler
inspectedFeatureGates bool
inspectedEffectiveVersion bool
emulationVersion *podsecurityadmissionapi.Version
@@ -173,16 +169,8 @@ func (p *Plugin) InspectEffectiveVersion(version compatibility.EffectiveVersion)
}
}
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
p.inspectedFeatureGates = true
policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards))
}
// ValidateInitialization ensures all required options are set
func (p *Plugin) ValidateInitialization() error {
if !p.inspectedFeatureGates {
return fmt.Errorf("%s did not see feature gates", PluginName)
}
if !p.inspectedEffectiveVersion {
return fmt.Errorf("%s did not see effective version", PluginName)
}

3
plugin/pkg/admission/security/podsecurity/admission_test.go
View File

@@ -33,7 +33,6 @@ import (
"k8s.io/apiserver/pkg/admission"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/util/compatibility"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/apiserver/pkg/warning"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes/fake"
@@ -84,7 +83,6 @@ func BenchmarkVerifyPod(b *testing.B) {
}
p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
enforceImplicitPrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-implicit", Labels: map[string]string{}}}
enforcePrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-privileged", Labels: map[string]string{"pod-security.kubernetes.io/enforce": "privileged"}}}
@@ -193,7 +191,6 @@ func BenchmarkVerifyNamespace(b *testing.B) {
}
p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
namespace := "enforce"
enforceNamespaceBaselineV1 := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace, Labels: map[string]string{"pod-security.kubernetes.io/enforce": "baseline"}}}

38
staging/src/k8s.io/pod-security-admission/policy/check_procMount.go → staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go
View File

@@ -27,27 +27,25 @@ import (
/*
The default /proc masks are set up to reduce attack surface, and should be required.
The default /proc masks are set up to reduce attack surface, and should be required
by the baseline policy unless the pod is in a user namespace ("hostUsers: false").
**Restricted Fields:**
spec.containers[*].securityContext.procMount
spec.initContainers[*].securityContext.procMount
**Allowed Values:** undefined/null, "Default"
However, if the pod is in a user namespace (`hostUsers: false`), and the
UserNamespacesPodSecurityStandards feature is enabled, all values are allowed.
**Allowed Values:** undefined/null, "Default" (or any value if "hostUsers" is false)
*/
func init() {
addCheck(CheckProcMount)
addCheck(CheckProcMountBaseline)
}
// CheckProcMount returns a baseline level check that restricts
// setting the value of securityContext.procMount to DefaultProcMount
// in 1.0+
func CheckProcMount() Check {
// in 1.0+.
// Starting in 1.35+, any value is allowed if the pod is in a user namespace ("hostUsers: false").
func CheckProcMountBaseline() Check {
return Check{
ID: "procMount",
Level: api.LevelBaseline,
@@ -56,19 +54,16 @@ func CheckProcMount() Check {
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: procMount_1_0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 35),
CheckPod: procMount1_35baseline,
},
},
}
}
// procMount_1_0 blocks unmasked procMount unconditionally
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation),
// create a new policy version.
// Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything
// here.
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
var badContainers []string
forbiddenProcMountTypes := sets.NewString()
visitContainers(podSpec, func(container *corev1.Container) {
@@ -100,3 +95,12 @@ func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) Chec
}
return CheckResult{Allowed: true}
}
// procMount1_35baseline blocks unmasked procMount for pods that are not in a user namespace
func procMount1_35baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
// If the pod is not in a user namespace, treat it as restricted.
return procMount_1_0(podMetadata, podSpec)
}

36
staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go → staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go
View File

@@ -20,21 +20,20 @@ import (
"testing"
corev1 "k8s.io/api/core/v1"
"k8s.io/utils/ptr"
)
func TestProcMount(t *testing.T) {
func TestProcMountBaseline(t *testing.T) {
defaultValue := corev1.DefaultProcMount
unmaskedValue := corev1.UnmaskedProcMount
otherValue := corev1.ProcMountType("other")
hostUsers := false
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
expectAllowed bool
relaxForUserNS bool
name string
pod *corev1.Pod
expectReason string
expectDetail string
expectAllowed bool
}{
{
name: "procMount",
@@ -46,14 +45,14 @@ func TestProcMount(t *testing.T) {
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
},
HostUsers: &hostUsers,
HostUsers: ptr.To(true),
}},
expectReason: `procMount`,
expectAllowed: false,
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
},
{
name: "procMount",
name: "procMount with userns",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
@@ -62,24 +61,17 @@ func TestProcMount(t *testing.T) {
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
},
HostUsers: &hostUsers,
HostUsers: ptr.To(false),
}},
expectReason: "",
expectDetail: "",
expectAllowed: true,
relaxForUserNS: true,
expectReason: "",
expectDetail: "",
expectAllowed: true,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
}
result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
result := procMount1_35baseline(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed != tc.expectAllowed {
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
}

56
staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go Normal file
View File

@@ -0,0 +1,56 @@
/*
Copyright 2025 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"k8s.io/pod-security-admission/api"
)
/*
The default /proc masks are set up to reduce attack surface, and should be required by the restricted profile.
**Restricted Fields:**
spec.containers[*].securityContext.procMount
spec.initContainers[*].securityContext.procMount
**Allowed Values:** undefined/null, "Default"
*/
func init() {
addCheck(CheckProcMountRestricted)
}
// CheckProcMountRestricted returns a restricted level check that forbids unmasked procmount.
func CheckProcMountRestricted() Check {
return Check{
ID: "procMount_restricted",
Level: api.LevelRestricted,
Versions: []VersionedCheck{
{
// Prior to 1.35, the baseline "procMount" check ran procMount_1_0 to unconditionally block unmasked procMount.
// In 1.35+, baseline conditionally relaxes for user namespace pods.
// Starting at that version, keep running the unconditional block in the restricted profile,
// and override the slightly weaker version of the same check from the baseline profile.
MinimumVersion: api.MajorMinorVersion(1, 35),
CheckPod: procMount_1_0,
OverrideCheckIDs: []CheckID{"procMount"},
},
},
}
}

71
staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go Normal file
View File

@@ -0,0 +1,71 @@
/*
Copyright 2025 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package policy
import (
"testing"
corev1 "k8s.io/api/core/v1"
)
func TestProcMountRestricted(t *testing.T) {
defaultValue := corev1.DefaultProcMount
unmaskedValue := corev1.UnmaskedProcMount
otherValue := corev1.ProcMountType("other")
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
expectAllowed bool
}{
{
name: "procMount",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
},
}},
expectReason: `procMount`,
expectAllowed: false,
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
},
}
for _, tc := range tests {
for _, userns := range []bool{true, false} {
t.Run(tc.name, func(t *testing.T) {
tc.pod.Spec.HostUsers = &userns
result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed != tc.expectAllowed {
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
}
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
t.Errorf("expected\n%s\ngot\n%s", e, a)
}
})
}
}
}

16
staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go
View File

@@ -26,7 +26,8 @@ import (
)
/*
Containers must be required to run as non-root users.
Containers must be required to run as non-root users,
unless the pod is in a user namespace ("hostUsers: false").
**Restricted Fields:**
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsNonRoot
**Allowed Values:**
true
undefined/null at container-level if pod-level is set to true
any value if "hostUsers" is false
*/
func init() {
@@ -54,16 +56,26 @@ func CheckRunAsNonRoot() Check {
MinimumVersion: api.MajorMinorVersion(1, 0),
CheckPod: runAsNonRoot_1_0,
},
{
MinimumVersion: api.MajorMinorVersion(1, 35),
CheckPod: runAsNonRoot1_35,
},
},
}
}
func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
func runAsNonRoot1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
// In the 1.0 policy, this relaxation was gated on a perma-alpha feature gate.
// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
return runAsNonRoot_1_0(podMetadata, podSpec)
}
func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// things that explicitly set runAsNonRoot=false
var badSetters []string

37
staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go
View File

@@ -25,12 +25,11 @@ import (
func TestRunAsNonRoot(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectReason string
expectDetail string
expectAllowed bool
relaxForUserNS bool
name string
pod *corev1.Pod
expectReason string
expectDetail string
expectAllowed bool
}{
{
name: "no explicit runAsNonRoot",
@@ -83,37 +82,17 @@ func TestRunAsNonRoot(t *testing.T) {
expectDetail: `pod or containers "a", "b" must set securityContext.runAsNonRoot=true`,
},
{
name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
name: "host users false allowed",
pod: &corev1.Pod{Spec: corev1.PodSpec{
HostUsers: ptr.To(false),
}},
expectAllowed: true,
relaxForUserNS: true,
},
{
name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
pod: &corev1.Pod{Spec: corev1.PodSpec{
Containers: []corev1.Container{
{Name: "a"},
},
HostUsers: ptr.To(true),
}},
expectReason: `runAsNonRoot != true`,
expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`,
expectAllowed: false,
relaxForUserNS: true,
expectAllowed: true,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
}
result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
result := runAsNonRoot1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed != tc.expectAllowed {
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
}

14
staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go
View File

@@ -27,6 +27,7 @@ import (
/*
Containers must not set runAsUser: 0
unless the pod is in a user namespace ("hostUsers: false").
**Restricted Fields:**
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsUser
**Allowed Values:**
non-zero values
undefined/null
any value if "hostUsers" is false
*/
@@ -55,16 +57,26 @@ func CheckRunAsUser() Check {
MinimumVersion: api.MajorMinorVersion(1, 23),
CheckPod: runAsUser_1_23,
},
{
MinimumVersion: api.MajorMinorVersion(1, 35),
CheckPod: runAsUser1_35,
},
},
}
}
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
func runAsUser1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
// In the 1.23 policy, this relaxation was gated on a perma-alpha feature gate.
// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
if relaxPolicyForUserNamespacePod(podSpec) {
return CheckResult{Allowed: true}
}
return runAsUser_1_23(podMetadata, podSpec)
}
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
// things that explicitly set runAsUser=0
var badSetters []string

38
staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go
View File

@@ -25,12 +25,11 @@ import (
func TestRunAsUser(t *testing.T) {
tests := []struct {
name string
pod *corev1.Pod
expectAllowed bool
expectReason string
expectDetail string
relaxForUserNS bool
name string
pod *corev1.Pod
expectAllowed bool
expectReason string
expectDetail string
}{
{
name: "pod runAsUser=0",
@@ -92,38 +91,17 @@ func TestRunAsUser(t *testing.T) {
expectAllowed: true,
},
{
name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
name: "host users false allowed",
pod: &corev1.Pod{Spec: corev1.PodSpec{
HostUsers: ptr.To(false),
}},
expectAllowed: true,
relaxForUserNS: true,
},
{
name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
pod: &corev1.Pod{Spec: corev1.PodSpec{
SecurityContext: &corev1.PodSecurityContext{RunAsUser: ptr.To[int64](0)},
Containers: []corev1.Container{
{Name: "a", SecurityContext: nil},
},
HostUsers: ptr.To(true),
}},
expectAllowed: false,
expectReason: `runAsUser=0`,
expectDetail: `pod must not set runAsUser=0`,
relaxForUserNS: true,
expectAllowed: true,
},
}
for _, tc := range tests {
t.Run(tc.name, func(t *testing.T) {
if tc.relaxForUserNS {
RelaxPolicyForUserNamespacePods(true)
t.Cleanup(func() {
RelaxPolicyForUserNamespacePods(false)
})
}
result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec)
result := runAsUser1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
if result.Allowed != tc.expectAllowed {
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
}

15
staging/src/k8s.io/pod-security-admission/policy/helpers.go
View File

@@ -18,7 +18,6 @@ package policy
import (
"strings"
"sync/atomic"
corev1 "k8s.io/api/core/v1"
)
@@ -37,20 +36,8 @@ func pluralize(singular, plural string, count int) string {
return plural
}
var relaxPolicyForUserNamespacePods = &atomic.Bool{}
// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
// runAsNonRoot restricted policies for user namespace pods, before the
// usernamespace feature has reached GA and propagated to the oldest supported
// nodes.
// This should only be opted into in clusters where the administrator ensures
// all nodes in the cluster enable the user namespace feature.
func RelaxPolicyForUserNamespacePods(relax bool) {
relaxPolicyForUserNamespacePods.Store(relax)
}
// relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
// because of enabled user namespaces in the provided pod spec.
func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
return podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
}

92
staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go
View File

@@ -20,10 +20,10 @@ import (
corev1 "k8s.io/api/core/v1"
"k8s.io/component-base/featuregate"
"k8s.io/pod-security-admission/api"
"k8s.io/utils/ptr"
)
func init() {
hostUsers := false
fixtureData_1_0 := fixtureGenerator{
expectErrorSubstring: "procMount",
generatePass: func(p *corev1.Pod) []*corev1.Pod {
@@ -34,7 +34,7 @@ func init() {
validProcMountType := corev1.DefaultProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.HostUsers = &hostUsers
copy.Spec.HostUsers = ptr.To(false)
}),
}
},
@@ -46,13 +46,13 @@ func init() {
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = &hostUsers
copy.Spec.HostUsers = ptr.To(false)
}),
// set proc mount of init container to a forbidden value
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = &hostUsers
copy.Spec.HostUsers = ptr.To(false)
}),
}
},
@@ -62,4 +62,88 @@ func init() {
fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"},
fixtureData_1_0,
)
fixtureData1_35baseline := fixtureGenerator{
expectErrorSubstring: "procMount",
generatePass: func(p *corev1.Pod) []*corev1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container and init container to a valid value
tweak(p, func(copy *corev1.Pod) {
validProcMountType := corev1.DefaultProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.HostUsers = ptr.To(false)
}),
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = ptr.To(false)
}),
}
},
failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
generateFail: func(p *corev1.Pod) []*corev1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container to a forbidden value
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = ptr.To(true)
}),
// set proc mount of init container to a forbidden value
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = ptr.To(true)
}),
}
},
}
registerFixtureGenerator(
fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 35), check: "procMount"},
fixtureData1_35baseline,
)
fixtureData1_35restricted := fixtureGenerator{
expectErrorSubstring: "procMount",
generatePass: func(p *corev1.Pod) []*corev1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container and init container to a valid value
tweak(p, func(copy *corev1.Pod) {
validProcMountType := corev1.DefaultProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
copy.Spec.HostUsers = ptr.To(false)
}),
}
},
failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
generateFail: func(p *corev1.Pod) []*corev1.Pod {
p = ensureSecurityContext(p)
return []*corev1.Pod{
// set proc mount of container to a forbidden value
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = ptr.To(false)
}),
// set proc mount of init container to a forbidden value
tweak(p, func(copy *corev1.Pod) {
unmaskedProcMountType := corev1.UnmaskedProcMount
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
copy.Spec.HostUsers = ptr.To(false)
}),
}
},
}
registerFixtureGenerator(
fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 35), check: "procMount_restricted"},
fixtureData1_35restricted,
)
}

2
staging/src/k8s.io/pod-security-admission/test/run.go
View File

@@ -37,7 +37,7 @@ import (
)
const (
newestMinorVersionToTest = 34
newestMinorVersionToTest = 35
podOSBasedRestrictionEnabledVersion = 29
)

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml vendored Executable file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml vendored Executable file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- NET_RAW
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- NET_RAW
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- chown
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- CAP_CHOWN
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml vendored Executable file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostIPC: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml vendored Executable file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostNetwork: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml vendored Executable file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostPID: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml vendored Executable file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml vendored Executable file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml vendored Executable file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346

19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml vendored Executable file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle0
spec:
containers:
- image: registry.k8s.io/pause
livenessProbe:
httpGet:
host: bad.host
port: 8080
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
readinessProbe:
tcpSocket:
host: 8.8.8.8
port: 8080
restartPolicy: Always

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle2
spec:
containers:
- image: registry.k8s.io/pause
lifecycle:
postStart:
httpGet:
host: bad.host
port: 8080
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle3
spec:
containers:
- image: registry.k8s.io/pause
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8080
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle4
spec:
containers:
- image: registry.k8s.io/pause
name: container1
readinessProbe:
tcpSocket:
host: ::1
port: 8080
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
privileged: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
privileged: true
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
procMount: Unmasked
hostUsers: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
hostUsers: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: Unconfined

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seccompProfile:
type: Unconfined
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seccompProfile:
type: Unconfined
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
type: somevalue

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions:
type: somevalue
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: somevalue
securityContext:
seLinuxOptions: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
user: somevalue

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions4
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
role: somevalue

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: othersysctl
value: other

19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml vendored Executable file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
windowsOptions: {}
hostNetwork: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
windowsOptions: {}
securityContext:
windowsOptions:
hostProcess: true

20
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml vendored Executable file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
windowsOptions:
hostProcess: true
hostNetwork: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
windowsOptions:
hostProcess: true
securityContext:
windowsOptions: {}

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml vendored Executable file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
name: apparmorprofile0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml vendored Executable file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: base
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

44
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml vendored Executable file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346

11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml vendored Executable file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml vendored Executable file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle1
spec:
containers:
- image: registry.k8s.io/pause
livenessProbe:
httpGet:
port: 8080
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml vendored Executable file
View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
readinessProbe:
tcpSocket:
port: 8080
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml vendored Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
privileged: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
privileged: false
securityContext: {}

17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml vendored Executable file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
procMount: Default
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml vendored Executable file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
procMount: Unmasked
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml vendored Executable file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: RuntimeDefault

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml vendored Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext: {}

21
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml vendored Executable file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seLinuxOptions:
level: somevalue
type: container_init_t
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: container_kvm_t
securityContext:
seLinuxOptions:
type: container_t

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml vendored Executable file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}

17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml vendored Executable file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: net.ipv4.tcp_rmem
value: 4096 87380 16777216
- name: net.ipv4.tcp_wmem
value: 4096 65536 16777216

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml vendored Executable file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml vendored Executable file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

24
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml vendored Executable file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

20
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml vendored Executable file
View File

@@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- chown
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml vendored Executable file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml vendored Executable file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

97
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml vendored Executable file
View File

@@ -0,0 +1,97 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

53
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml vendored Executable file
View File

@@ -0,0 +1,53 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml vendored Executable file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostIPC: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml vendored Executable file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostNetwork: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml vendored Executable file
View File

@@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostPID: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml vendored Executable file
View File

@@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

32
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml vendored Executable file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml vendored Executable file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml vendored Executable file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

33
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml vendored Executable file
View File

@@ -0,0 +1,33 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle0
spec:
containers:
- image: registry.k8s.io/pause
livenessProbe:
httpGet:
host: bad.host
port: 8080
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml vendored Executable file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
readinessProbe:
tcpSocket:
host: 8.8.8.8
port: 8080
restartPolicy: Always
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml vendored Executable file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle2
spec:
containers:
- image: registry.k8s.io/pause
lifecycle:
postStart:
httpGet:
host: bad.host
port: 8080
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle3
spec:
containers:
- image: registry.k8s.io/pause
livenessProbe:
httpGet:
host: 127.0.0.1
port: 8080
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: hostprobesandhostlifecycle4
spec:
containers:
- image: registry.k8s.io/pause
name: container1
readinessProbe:
tcpSocket:
host: ::1
port: 8080
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml vendored Executable file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
drop:
- ALL
privileged: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml vendored Executable file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities:
drop:
- ALL
privileged: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
hostUsers: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostUsers: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount_restricted0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml vendored Executable file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount_restricted1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- gcePersistentDisk:
pdName: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- awsElasticBlockStore:
volumeID: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml vendored Executable file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes10
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- flocker:
datasetName: test
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml vendored Executable file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes11
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- fc:
wwids:
- test
name: volume1

Some files were not shown because too many files have changed in this diff Show More