mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-02-22 15:19:12 +00:00
drop UserNamespacesPodSecurityStandards feature gate
this feature gate was meant to be ephemeral, and only was used for guaranteeing a cluster admin didn't accidentally relax PSA policies before the kubelet would deny a pod was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this. Now, we can unconditionally relax PSA policy if a pod is in a user namespace. This PR reserves older policies default behavior by never relaxing Signed-off-by: Peter Hunt <pehunt@redhat.com>
This commit is contained in:
@@ -984,17 +984,6 @@ const (
|
||||
// Proxies client to an apiserver capable of serving the request in the event of version skew.
|
||||
UnknownVersionInteroperabilityProxy featuregate.Feature = "UnknownVersionInteroperabilityProxy"
|
||||
|
||||
// owner: @saschagrunert
|
||||
//
|
||||
// Enables user namespace support for Pod Security Standards. Enabling this
|
||||
// feature will modify all Pod Security Standard rules to allow setting:
|
||||
// spec[.*].securityContext.[runAsNonRoot,runAsUser]
|
||||
// This feature gate should only be enabled if all nodes in the cluster
|
||||
// support the user namespace feature and have it enabled. The feature gate
|
||||
// will not graduate or be enabled by default in future Kubernetes
|
||||
// releases.
|
||||
UserNamespacesPodSecurityStandards featuregate.Feature = "UserNamespacesPodSecurityStandards"
|
||||
|
||||
// owner: @rata, @giuseppe
|
||||
// kep: https://kep.k8s.io/127
|
||||
//
|
||||
@@ -1751,10 +1740,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate
|
||||
{Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha},
|
||||
},
|
||||
|
||||
UserNamespacesPodSecurityStandards: {
|
||||
{Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha},
|
||||
},
|
||||
|
||||
UserNamespacesSupport: {
|
||||
{Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha},
|
||||
{Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta},
|
||||
@@ -2295,8 +2280,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature
|
||||
|
||||
UnknownVersionInteroperabilityProxy: {},
|
||||
|
||||
UserNamespacesPodSecurityStandards: {},
|
||||
|
||||
UserNamespacesSupport: {},
|
||||
|
||||
VolumeAttributesClass: {},
|
||||
|
||||
@@ -27,7 +27,6 @@ import (
|
||||
_ "k8s.io/kubernetes/pkg/apis/apps/install"
|
||||
_ "k8s.io/kubernetes/pkg/apis/batch/install"
|
||||
_ "k8s.io/kubernetes/pkg/apis/core/install"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
|
||||
admissionv1 "k8s.io/api/admission/v1"
|
||||
appsv1 "k8s.io/api/apps/v1"
|
||||
@@ -44,7 +43,6 @@ import (
|
||||
"k8s.io/client-go/kubernetes"
|
||||
corev1listers "k8s.io/client-go/listers/core/v1"
|
||||
"k8s.io/component-base/compatibility"
|
||||
"k8s.io/component-base/featuregate"
|
||||
"k8s.io/component-base/metrics/legacyregistry"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
"k8s.io/kubernetes/pkg/apis/apps"
|
||||
@@ -71,8 +69,6 @@ func Register(plugins *admission.Plugins) {
|
||||
type Plugin struct {
|
||||
*admission.Handler
|
||||
|
||||
inspectedFeatureGates bool
|
||||
|
||||
inspectedEffectiveVersion bool
|
||||
emulationVersion *podsecurityadmissionapi.Version
|
||||
|
||||
@@ -173,16 +169,8 @@ func (p *Plugin) InspectEffectiveVersion(version compatibility.EffectiveVersion)
|
||||
}
|
||||
}
|
||||
|
||||
func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) {
|
||||
p.inspectedFeatureGates = true
|
||||
policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards))
|
||||
}
|
||||
|
||||
// ValidateInitialization ensures all required options are set
|
||||
func (p *Plugin) ValidateInitialization() error {
|
||||
if !p.inspectedFeatureGates {
|
||||
return fmt.Errorf("%s did not see feature gates", PluginName)
|
||||
}
|
||||
if !p.inspectedEffectiveVersion {
|
||||
return fmt.Errorf("%s did not see effective version", PluginName)
|
||||
}
|
||||
|
||||
@@ -33,7 +33,6 @@ import (
|
||||
"k8s.io/apiserver/pkg/admission"
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
"k8s.io/apiserver/pkg/util/compatibility"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/apiserver/pkg/warning"
|
||||
"k8s.io/client-go/informers"
|
||||
"k8s.io/client-go/kubernetes/fake"
|
||||
@@ -84,7 +83,6 @@ func BenchmarkVerifyPod(b *testing.B) {
|
||||
}
|
||||
|
||||
p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
|
||||
p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
|
||||
|
||||
enforceImplicitPrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-implicit", Labels: map[string]string{}}}
|
||||
enforcePrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-privileged", Labels: map[string]string{"pod-security.kubernetes.io/enforce": "privileged"}}}
|
||||
@@ -193,7 +191,6 @@ func BenchmarkVerifyNamespace(b *testing.B) {
|
||||
}
|
||||
|
||||
p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion())
|
||||
p.InspectFeatureGates(utilfeature.DefaultFeatureGate)
|
||||
|
||||
namespace := "enforce"
|
||||
enforceNamespaceBaselineV1 := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace, Labels: map[string]string{"pod-security.kubernetes.io/enforce": "baseline"}}}
|
||||
|
||||
@@ -27,27 +27,25 @@ import (
|
||||
|
||||
/*
|
||||
|
||||
The default /proc masks are set up to reduce attack surface, and should be required.
|
||||
The default /proc masks are set up to reduce attack surface, and should be required
|
||||
by the baseline policy unless the pod is in a user namespace ("hostUsers: false").
|
||||
|
||||
**Restricted Fields:**
|
||||
spec.containers[*].securityContext.procMount
|
||||
spec.initContainers[*].securityContext.procMount
|
||||
|
||||
**Allowed Values:** undefined/null, "Default"
|
||||
|
||||
However, if the pod is in a user namespace (`hostUsers: false`), and the
|
||||
UserNamespacesPodSecurityStandards feature is enabled, all values are allowed.
|
||||
|
||||
**Allowed Values:** undefined/null, "Default" (or any value if "hostUsers" is false)
|
||||
*/
|
||||
|
||||
func init() {
|
||||
addCheck(CheckProcMount)
|
||||
addCheck(CheckProcMountBaseline)
|
||||
}
|
||||
|
||||
// CheckProcMount returns a baseline level check that restricts
|
||||
// setting the value of securityContext.procMount to DefaultProcMount
|
||||
// in 1.0+
|
||||
func CheckProcMount() Check {
|
||||
// in 1.0+.
|
||||
// Starting in 1.35+, any value is allowed if the pod is in a user namespace ("hostUsers: false").
|
||||
func CheckProcMountBaseline() Check {
|
||||
return Check{
|
||||
ID: "procMount",
|
||||
Level: api.LevelBaseline,
|
||||
@@ -56,19 +54,16 @@ func CheckProcMount() Check {
|
||||
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||||
CheckPod: procMount_1_0,
|
||||
},
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 35),
|
||||
CheckPod: procMount1_35baseline,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// procMount_1_0 blocks unmasked procMount unconditionally
|
||||
func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation),
|
||||
// create a new policy version.
|
||||
// Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything
|
||||
// here.
|
||||
if relaxPolicyForUserNamespacePod(podSpec) {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
var badContainers []string
|
||||
forbiddenProcMountTypes := sets.NewString()
|
||||
visitContainers(podSpec, func(container *corev1.Container) {
|
||||
@@ -100,3 +95,12 @@ func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) Chec
|
||||
}
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
// procMount1_35baseline blocks unmasked procMount for pods that are not in a user namespace
|
||||
func procMount1_35baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
if relaxPolicyForUserNamespacePod(podSpec) {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
// If the pod is not in a user namespace, treat it as restricted.
|
||||
return procMount_1_0(podMetadata, podSpec)
|
||||
}
|
||||
@@ -20,21 +20,20 @@ import (
|
||||
"testing"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/utils/ptr"
|
||||
)
|
||||
|
||||
func TestProcMount(t *testing.T) {
|
||||
func TestProcMountBaseline(t *testing.T) {
|
||||
defaultValue := corev1.DefaultProcMount
|
||||
unmaskedValue := corev1.UnmaskedProcMount
|
||||
otherValue := corev1.ProcMountType("other")
|
||||
|
||||
hostUsers := false
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
expectAllowed bool
|
||||
relaxForUserNS bool
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
expectAllowed bool
|
||||
}{
|
||||
{
|
||||
name: "procMount",
|
||||
@@ -46,14 +45,14 @@ func TestProcMount(t *testing.T) {
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
|
||||
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
|
||||
},
|
||||
HostUsers: &hostUsers,
|
||||
HostUsers: ptr.To(true),
|
||||
}},
|
||||
expectReason: `procMount`,
|
||||
expectAllowed: false,
|
||||
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
|
||||
},
|
||||
{
|
||||
name: "procMount",
|
||||
name: "procMount with userns",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
@@ -62,24 +61,17 @@ func TestProcMount(t *testing.T) {
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
|
||||
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
|
||||
},
|
||||
HostUsers: &hostUsers,
|
||||
HostUsers: ptr.To(false),
|
||||
}},
|
||||
expectReason: "",
|
||||
expectDetail: "",
|
||||
expectAllowed: true,
|
||||
relaxForUserNS: true,
|
||||
expectReason: "",
|
||||
expectDetail: "",
|
||||
expectAllowed: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if tc.relaxForUserNS {
|
||||
RelaxPolicyForUserNamespacePods(true)
|
||||
t.Cleanup(func() {
|
||||
RelaxPolicyForUserNamespacePods(false)
|
||||
})
|
||||
}
|
||||
result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
result := procMount1_35baseline(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed != tc.expectAllowed {
|
||||
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
/*
|
||||
Copyright 2025 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package policy
|
||||
|
||||
import (
|
||||
"k8s.io/pod-security-admission/api"
|
||||
)
|
||||
|
||||
/*
|
||||
|
||||
The default /proc masks are set up to reduce attack surface, and should be required by the restricted profile.
|
||||
|
||||
**Restricted Fields:**
|
||||
spec.containers[*].securityContext.procMount
|
||||
spec.initContainers[*].securityContext.procMount
|
||||
|
||||
**Allowed Values:** undefined/null, "Default"
|
||||
|
||||
*/
|
||||
|
||||
func init() {
|
||||
addCheck(CheckProcMountRestricted)
|
||||
}
|
||||
|
||||
// CheckProcMountRestricted returns a restricted level check that forbids unmasked procmount.
|
||||
func CheckProcMountRestricted() Check {
|
||||
return Check{
|
||||
ID: "procMount_restricted",
|
||||
Level: api.LevelRestricted,
|
||||
Versions: []VersionedCheck{
|
||||
{
|
||||
// Prior to 1.35, the baseline "procMount" check ran procMount_1_0 to unconditionally block unmasked procMount.
|
||||
// In 1.35+, baseline conditionally relaxes for user namespace pods.
|
||||
// Starting at that version, keep running the unconditional block in the restricted profile,
|
||||
// and override the slightly weaker version of the same check from the baseline profile.
|
||||
MinimumVersion: api.MajorMinorVersion(1, 35),
|
||||
CheckPod: procMount_1_0,
|
||||
OverrideCheckIDs: []CheckID{"procMount"},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,71 @@
|
||||
/*
|
||||
Copyright 2025 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package policy
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
|
||||
func TestProcMountRestricted(t *testing.T) {
|
||||
defaultValue := corev1.DefaultProcMount
|
||||
unmaskedValue := corev1.UnmaskedProcMount
|
||||
otherValue := corev1.ProcMountType("other")
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
expectAllowed bool
|
||||
}{
|
||||
{
|
||||
name: "procMount",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
{Name: "b", SecurityContext: &corev1.SecurityContext{}},
|
||||
{Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}},
|
||||
{Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}},
|
||||
{Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}},
|
||||
},
|
||||
}},
|
||||
expectReason: `procMount`,
|
||||
expectAllowed: false,
|
||||
expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
for _, userns := range []bool{true, false} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
tc.pod.Spec.HostUsers = &userns
|
||||
result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed != tc.expectAllowed {
|
||||
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
|
||||
}
|
||||
if e, a := tc.expectReason, result.ForbiddenReason; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
if e, a := tc.expectDetail, result.ForbiddenDetail; e != a {
|
||||
t.Errorf("expected\n%s\ngot\n%s", e, a)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -26,7 +26,8 @@ import (
|
||||
)
|
||||
|
||||
/*
|
||||
Containers must be required to run as non-root users.
|
||||
Containers must be required to run as non-root users,
|
||||
unless the pod is in a user namespace ("hostUsers: false").
|
||||
|
||||
**Restricted Fields:**
|
||||
|
||||
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsNonRoot
|
||||
**Allowed Values:**
|
||||
true
|
||||
undefined/null at container-level if pod-level is set to true
|
||||
any value if "hostUsers" is false
|
||||
*/
|
||||
|
||||
func init() {
|
||||
@@ -54,16 +56,26 @@ func CheckRunAsNonRoot() Check {
|
||||
MinimumVersion: api.MajorMinorVersion(1, 0),
|
||||
CheckPod: runAsNonRoot_1_0,
|
||||
},
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 35),
|
||||
CheckPod: runAsNonRoot1_35,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
func runAsNonRoot1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
|
||||
// In the 1.0 policy, this relaxation was gated on a perma-alpha feature gate.
|
||||
// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
|
||||
if relaxPolicyForUserNamespacePod(podSpec) {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
|
||||
return runAsNonRoot_1_0(podMetadata, podSpec)
|
||||
}
|
||||
|
||||
func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// things that explicitly set runAsNonRoot=false
|
||||
var badSetters []string
|
||||
|
||||
|
||||
@@ -25,12 +25,11 @@ import (
|
||||
|
||||
func TestRunAsNonRoot(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
expectAllowed bool
|
||||
relaxForUserNS bool
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectReason string
|
||||
expectDetail string
|
||||
expectAllowed bool
|
||||
}{
|
||||
{
|
||||
name: "no explicit runAsNonRoot",
|
||||
@@ -83,37 +82,17 @@ func TestRunAsNonRoot(t *testing.T) {
|
||||
expectDetail: `pod or containers "a", "b" must set securityContext.runAsNonRoot=true`,
|
||||
},
|
||||
{
|
||||
name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
|
||||
name: "host users false allowed",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
HostUsers: ptr.To(false),
|
||||
}},
|
||||
expectAllowed: true,
|
||||
relaxForUserNS: true,
|
||||
},
|
||||
{
|
||||
name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a"},
|
||||
},
|
||||
HostUsers: ptr.To(true),
|
||||
}},
|
||||
expectReason: `runAsNonRoot != true`,
|
||||
expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`,
|
||||
expectAllowed: false,
|
||||
relaxForUserNS: true,
|
||||
expectAllowed: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if tc.relaxForUserNS {
|
||||
RelaxPolicyForUserNamespacePods(true)
|
||||
t.Cleanup(func() {
|
||||
RelaxPolicyForUserNamespacePods(false)
|
||||
})
|
||||
}
|
||||
result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
result := runAsNonRoot1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed != tc.expectAllowed {
|
||||
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
|
||||
}
|
||||
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
|
||||
/*
|
||||
Containers must not set runAsUser: 0
|
||||
unless the pod is in a user namespace ("hostUsers: false").
|
||||
|
||||
**Restricted Fields:**
|
||||
|
||||
@@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsUser
|
||||
**Allowed Values:**
|
||||
non-zero values
|
||||
undefined/null
|
||||
any value if "hostUsers" is false
|
||||
|
||||
*/
|
||||
|
||||
@@ -55,16 +57,26 @@ func CheckRunAsUser() Check {
|
||||
MinimumVersion: api.MajorMinorVersion(1, 23),
|
||||
CheckPod: runAsUser_1_23,
|
||||
},
|
||||
{
|
||||
MinimumVersion: api.MajorMinorVersion(1, 35),
|
||||
CheckPod: runAsUser1_35,
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
func runAsUser1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447
|
||||
// In the 1.23 policy, this relaxation was gated on a perma-alpha feature gate.
|
||||
// Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here.
|
||||
if relaxPolicyForUserNamespacePod(podSpec) {
|
||||
return CheckResult{Allowed: true}
|
||||
}
|
||||
return runAsUser_1_23(podMetadata, podSpec)
|
||||
|
||||
}
|
||||
|
||||
func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
|
||||
// things that explicitly set runAsUser=0
|
||||
var badSetters []string
|
||||
|
||||
|
||||
@@ -25,12 +25,11 @@ import (
|
||||
|
||||
func TestRunAsUser(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectAllowed bool
|
||||
expectReason string
|
||||
expectDetail string
|
||||
relaxForUserNS bool
|
||||
name string
|
||||
pod *corev1.Pod
|
||||
expectAllowed bool
|
||||
expectReason string
|
||||
expectDetail string
|
||||
}{
|
||||
{
|
||||
name: "pod runAsUser=0",
|
||||
@@ -92,38 +91,17 @@ func TestRunAsUser(t *testing.T) {
|
||||
expectAllowed: true,
|
||||
},
|
||||
{
|
||||
name: "UserNamespacesPodSecurityStandards enabled without HostUsers",
|
||||
name: "host users false allowed",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
HostUsers: ptr.To(false),
|
||||
}},
|
||||
expectAllowed: true,
|
||||
relaxForUserNS: true,
|
||||
},
|
||||
{
|
||||
name: "UserNamespacesPodSecurityStandards enabled with HostUsers",
|
||||
pod: &corev1.Pod{Spec: corev1.PodSpec{
|
||||
SecurityContext: &corev1.PodSecurityContext{RunAsUser: ptr.To[int64](0)},
|
||||
Containers: []corev1.Container{
|
||||
{Name: "a", SecurityContext: nil},
|
||||
},
|
||||
HostUsers: ptr.To(true),
|
||||
}},
|
||||
expectAllowed: false,
|
||||
expectReason: `runAsUser=0`,
|
||||
expectDetail: `pod must not set runAsUser=0`,
|
||||
relaxForUserNS: true,
|
||||
expectAllowed: true,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range tests {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
if tc.relaxForUserNS {
|
||||
RelaxPolicyForUserNamespacePods(true)
|
||||
t.Cleanup(func() {
|
||||
RelaxPolicyForUserNamespacePods(false)
|
||||
})
|
||||
}
|
||||
result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
result := runAsUser1_35(&tc.pod.ObjectMeta, &tc.pod.Spec)
|
||||
if result.Allowed != tc.expectAllowed {
|
||||
t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed)
|
||||
}
|
||||
|
||||
@@ -18,7 +18,6 @@ package policy
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"sync/atomic"
|
||||
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
)
|
||||
@@ -37,20 +36,8 @@ func pluralize(singular, plural string, count int) string {
|
||||
return plural
|
||||
}
|
||||
|
||||
var relaxPolicyForUserNamespacePods = &atomic.Bool{}
|
||||
|
||||
// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser /
|
||||
// runAsNonRoot restricted policies for user namespace pods, before the
|
||||
// usernamespace feature has reached GA and propagated to the oldest supported
|
||||
// nodes.
|
||||
// This should only be opted into in clusters where the administrator ensures
|
||||
// all nodes in the cluster enable the user namespace feature.
|
||||
func RelaxPolicyForUserNamespacePods(relax bool) {
|
||||
relaxPolicyForUserNamespacePods.Store(relax)
|
||||
}
|
||||
|
||||
// relaxPolicyForUserNamespacePod returns true if a policy should be relaxed
|
||||
// because of enabled user namespaces in the provided pod spec.
|
||||
func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool {
|
||||
return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
|
||||
return podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers
|
||||
}
|
||||
|
||||
@@ -20,10 +20,10 @@ import (
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"k8s.io/component-base/featuregate"
|
||||
"k8s.io/pod-security-admission/api"
|
||||
"k8s.io/utils/ptr"
|
||||
)
|
||||
|
||||
func init() {
|
||||
hostUsers := false
|
||||
fixtureData_1_0 := fixtureGenerator{
|
||||
expectErrorSubstring: "procMount",
|
||||
generatePass: func(p *corev1.Pod) []*corev1.Pod {
|
||||
@@ -34,7 +34,7 @@ func init() {
|
||||
validProcMountType := corev1.DefaultProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.HostUsers = &hostUsers
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
}
|
||||
},
|
||||
@@ -46,13 +46,13 @@ func init() {
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = &hostUsers
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
// set proc mount of init container to a forbidden value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = &hostUsers
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
}
|
||||
},
|
||||
@@ -62,4 +62,88 @@ func init() {
|
||||
fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"},
|
||||
fixtureData_1_0,
|
||||
)
|
||||
|
||||
fixtureData1_35baseline := fixtureGenerator{
|
||||
expectErrorSubstring: "procMount",
|
||||
generatePass: func(p *corev1.Pod) []*corev1.Pod {
|
||||
p = ensureSecurityContext(p)
|
||||
return []*corev1.Pod{
|
||||
// set proc mount of container and init container to a valid value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
validProcMountType := corev1.DefaultProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
}
|
||||
},
|
||||
failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
|
||||
generateFail: func(p *corev1.Pod) []*corev1.Pod {
|
||||
p = ensureSecurityContext(p)
|
||||
return []*corev1.Pod{
|
||||
// set proc mount of container to a forbidden value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(true)
|
||||
}),
|
||||
// set proc mount of init container to a forbidden value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(true)
|
||||
}),
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
registerFixtureGenerator(
|
||||
fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 35), check: "procMount"},
|
||||
fixtureData1_35baseline,
|
||||
)
|
||||
|
||||
fixtureData1_35restricted := fixtureGenerator{
|
||||
expectErrorSubstring: "procMount",
|
||||
generatePass: func(p *corev1.Pod) []*corev1.Pod {
|
||||
p = ensureSecurityContext(p)
|
||||
return []*corev1.Pod{
|
||||
// set proc mount of container and init container to a valid value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
validProcMountType := corev1.DefaultProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
}
|
||||
},
|
||||
failRequiresFeatures: []featuregate.Feature{"ProcMountType"},
|
||||
generateFail: func(p *corev1.Pod) []*corev1.Pod {
|
||||
p = ensureSecurityContext(p)
|
||||
return []*corev1.Pod{
|
||||
// set proc mount of container to a forbidden value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
// set proc mount of init container to a forbidden value
|
||||
tweak(p, func(copy *corev1.Pod) {
|
||||
unmaskedProcMountType := corev1.UnmaskedProcMount
|
||||
copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType
|
||||
copy.Spec.HostUsers = ptr.To(false)
|
||||
}),
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
registerFixtureGenerator(
|
||||
fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 35), check: "procMount_restricted"},
|
||||
fixtureData1_35restricted,
|
||||
)
|
||||
}
|
||||
|
||||
@@ -37,7 +37,7 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
newestMinorVersionToTest = 34
|
||||
newestMinorVersionToTest = 35
|
||||
podOSBasedRestrictionEnabledVersion = 29
|
||||
)
|
||||
|
||||
|
||||
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml
vendored
Executable file
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml
vendored
Executable file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/container1: unconfined
|
||||
name: apparmorprofile0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml
vendored
Executable file
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml
vendored
Executable file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
|
||||
name: apparmorprofile1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_RAW
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities: {}
|
||||
securityContext: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_RAW
|
||||
securityContext: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- chown
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities: {}
|
||||
securityContext: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- CAP_CHOWN
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities: {}
|
||||
securityContext: {}
|
||||
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml
vendored
Executable file
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml
vendored
Executable file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
hostIPC: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml
vendored
Executable file
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml
vendored
Executable file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml
vendored
Executable file
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml
vendored
Executable file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
hostPID: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml
vendored
Executable file
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml
vendored
Executable file
@@ -0,0 +1,17 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostpathvolumes0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: volume-emptydir
|
||||
- hostPath:
|
||||
path: /a
|
||||
name: volume-hostpath
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostpathvolumes1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /a
|
||||
name: volume-hostpath-a
|
||||
- hostPath:
|
||||
path: /b
|
||||
name: volume-hostpath-b
|
||||
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml
vendored
Executable file
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml
vendored
Executable file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
ports:
|
||||
- containerPort: 12345
|
||||
hostPort: 12345
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml
vendored
Executable file
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml
vendored
Executable file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
ports:
|
||||
- containerPort: 12346
|
||||
hostPort: 12346
|
||||
19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml
vendored
Executable file
19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml
vendored
Executable file
@@ -0,0 +1,19 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
ports:
|
||||
- containerPort: 12345
|
||||
hostPort: 12345
|
||||
- containerPort: 12347
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
ports:
|
||||
- containerPort: 12346
|
||||
hostPort: 12346
|
||||
- containerPort: 12348
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
host: bad.host
|
||||
port: 8080
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
host: 8.8.8.8
|
||||
port: 8080
|
||||
restartPolicy: Always
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
lifecycle:
|
||||
postStart:
|
||||
httpGet:
|
||||
host: bad.host
|
||||
port: 8080
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
host: 127.0.0.1
|
||||
port: 8080
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle4
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
host: ::1
|
||||
port: 8080
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: privileged0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
privileged: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
securityContext: {}
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: privileged1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
privileged: true
|
||||
securityContext: {}
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
procMount: Unmasked
|
||||
hostUsers: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
securityContext: {}
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext: {}
|
||||
hostUsers: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
procMount: Unmasked
|
||||
securityContext: {}
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: seccompprofile_baseline0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: seccompprofile_baseline1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
securityContext: {}
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: seccompprofile_baseline2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: Unconfined
|
||||
securityContext: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: somevalue
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: somevalue
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: somevalue
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
user: somevalue
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions4
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
role: somevalue
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: sysctls0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
sysctls:
|
||||
- name: othersysctl
|
||||
value: other
|
||||
19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml
vendored
Executable file
19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml
vendored
Executable file
@@ -0,0 +1,19 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: windowshostprocess0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
windowsOptions: {}
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
windowsOptions: {}
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
20
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml
vendored
Executable file
20
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml
vendored
Executable file
@@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: windowshostprocess1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
windowsOptions:
|
||||
hostProcess: true
|
||||
securityContext:
|
||||
windowsOptions: {}
|
||||
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml
vendored
Executable file
13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml
vendored
Executable file
@@ -0,0 +1,13 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
|
||||
name: apparmorprofile0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml
vendored
Executable file
11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml
vendored
Executable file
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: base
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
44
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml
vendored
Executable file
44
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml
vendored
Executable file
@@ -0,0 +1,44 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- AUDIT_WRITE
|
||||
- CHOWN
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- FSETID
|
||||
- KILL
|
||||
- MKNOD
|
||||
- NET_BIND_SERVICE
|
||||
- SETFCAP
|
||||
- SETGID
|
||||
- SETPCAP
|
||||
- SETUID
|
||||
- SYS_CHROOT
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- AUDIT_WRITE
|
||||
- CHOWN
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- FSETID
|
||||
- KILL
|
||||
- MKNOD
|
||||
- NET_BIND_SERVICE
|
||||
- SETFCAP
|
||||
- SETGID
|
||||
- SETPCAP
|
||||
- SETUID
|
||||
- SYS_CHROOT
|
||||
securityContext: {}
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
ports:
|
||||
- containerPort: 12345
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
ports:
|
||||
- containerPort: 12346
|
||||
11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml
vendored
Executable file
11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml
vendored
Executable file
@@ -0,0 +1,11 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml
vendored
Executable file
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml
vendored
Executable file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
port: 8080
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml
vendored
Executable file
14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml
vendored
Executable file
@@ -0,0 +1,14 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml
vendored
Executable file
16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml
vendored
Executable file
@@ -0,0 +1,16 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: privileged0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
privileged: false
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
privileged: false
|
||||
securityContext: {}
|
||||
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml
vendored
Executable file
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml
vendored
Executable file
@@ -0,0 +1,17 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
procMount: Default
|
||||
hostUsers: false
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
procMount: Default
|
||||
securityContext: {}
|
||||
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml
vendored
Executable file
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml
vendored
Executable file
@@ -0,0 +1,17 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
procMount: Unmasked
|
||||
hostUsers: false
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
procMount: Unmasked
|
||||
securityContext: {}
|
||||
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml
vendored
Executable file
18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml
vendored
Executable file
@@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: seccompprofile_baseline0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml
vendored
Executable file
15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml
vendored
Executable file
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions: {}
|
||||
securityContext: {}
|
||||
21
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml
vendored
Executable file
21
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml
vendored
Executable file
@@ -0,0 +1,21 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: selinuxoptions1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
level: somevalue
|
||||
type: container_init_t
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_kvm_t
|
||||
securityContext:
|
||||
seLinuxOptions:
|
||||
type: container_t
|
||||
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml
vendored
Executable file
12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml
vendored
Executable file
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: sysctls0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext: {}
|
||||
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml
vendored
Executable file
17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml
vendored
Executable file
@@ -0,0 +1,17 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: sysctls1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
sysctls:
|
||||
- name: net.ipv4.tcp_rmem
|
||||
value: 4096 87380 16777216
|
||||
- name: net.ipv4.tcp_wmem
|
||||
value: 4096 65536 16777216
|
||||
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml
vendored
Executable file
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml
vendored
Executable file
@@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: allowprivilegeescalation0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml
vendored
Executable file
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml
vendored
Executable file
@@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: allowprivilegeescalation1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
24
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml
vendored
Executable file
24
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml
vendored
Executable file
@@ -0,0 +1,24 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: allowprivilegeescalation2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
20
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml
vendored
Executable file
20
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml
vendored
Executable file
@@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: allowprivilegeescalation3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/container1: unconfined
|
||||
name: apparmorprofile0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
annotations:
|
||||
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
|
||||
name: apparmorprofile1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- NET_RAW
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- NET_RAW
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- chown
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_baseline3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- CAP_CHOWN
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml
vendored
Executable file
23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml
vendored
Executable file
@@ -0,0 +1,23 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_restricted0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml
vendored
Executable file
23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml
vendored
Executable file
@@ -0,0 +1,23 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_restricted1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities: {}
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
97
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml
vendored
Executable file
97
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml
vendored
Executable file
@@ -0,0 +1,97 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_restricted2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- SYS_TIME
|
||||
- SYS_MODULE
|
||||
- SYS_RAWIO
|
||||
- SYS_PACCT
|
||||
- SYS_ADMIN
|
||||
- SYS_NICE
|
||||
- SYS_RESOURCE
|
||||
- SYS_TIME
|
||||
- SYS_TTY_CONFIG
|
||||
- MKNOD
|
||||
- AUDIT_WRITE
|
||||
- AUDIT_CONTROL
|
||||
- MAC_OVERRIDE
|
||||
- MAC_ADMIN
|
||||
- NET_ADMIN
|
||||
- SYSLOG
|
||||
- CHOWN
|
||||
- NET_RAW
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- DAC_READ_SEARCH
|
||||
- FSETID
|
||||
- KILL
|
||||
- SETGID
|
||||
- SETUID
|
||||
- LINUX_IMMUTABLE
|
||||
- NET_BIND_SERVICE
|
||||
- NET_BROADCAST
|
||||
- IPC_LOCK
|
||||
- IPC_OWNER
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
- SYS_BOOT
|
||||
- LEASE
|
||||
- SETFCAP
|
||||
- WAKE_ALARM
|
||||
- BLOCK_SUSPEND
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- SYS_TIME
|
||||
- SYS_MODULE
|
||||
- SYS_RAWIO
|
||||
- SYS_PACCT
|
||||
- SYS_ADMIN
|
||||
- SYS_NICE
|
||||
- SYS_RESOURCE
|
||||
- SYS_TIME
|
||||
- SYS_TTY_CONFIG
|
||||
- MKNOD
|
||||
- AUDIT_WRITE
|
||||
- AUDIT_CONTROL
|
||||
- MAC_OVERRIDE
|
||||
- MAC_ADMIN
|
||||
- NET_ADMIN
|
||||
- SYSLOG
|
||||
- CHOWN
|
||||
- NET_RAW
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- DAC_READ_SEARCH
|
||||
- FSETID
|
||||
- KILL
|
||||
- SETGID
|
||||
- SETUID
|
||||
- LINUX_IMMUTABLE
|
||||
- NET_BIND_SERVICE
|
||||
- NET_BROADCAST
|
||||
- IPC_LOCK
|
||||
- IPC_OWNER
|
||||
- SYS_CHROOT
|
||||
- SYS_PTRACE
|
||||
- SYS_BOOT
|
||||
- LEASE
|
||||
- SETFCAP
|
||||
- WAKE_ALARM
|
||||
- BLOCK_SUSPEND
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
53
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml
vendored
Executable file
53
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml
vendored
Executable file
@@ -0,0 +1,53 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: capabilities_restricted3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- AUDIT_WRITE
|
||||
- CHOWN
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- FSETID
|
||||
- KILL
|
||||
- MKNOD
|
||||
- NET_BIND_SERVICE
|
||||
- SETFCAP
|
||||
- SETGID
|
||||
- SETPCAP
|
||||
- SETUID
|
||||
- SYS_CHROOT
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
add:
|
||||
- AUDIT_WRITE
|
||||
- CHOWN
|
||||
- DAC_OVERRIDE
|
||||
- FOWNER
|
||||
- FSETID
|
||||
- KILL
|
||||
- MKNOD
|
||||
- NET_BIND_SERVICE
|
||||
- SETFCAP
|
||||
- SETGID
|
||||
- SETPCAP
|
||||
- SETUID
|
||||
- SYS_CHROOT
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml
vendored
Executable file
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml
vendored
Executable file
@@ -0,0 +1,26 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
hostIPC: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml
vendored
Executable file
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml
vendored
Executable file
@@ -0,0 +1,26 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
hostNetwork: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml
vendored
Executable file
26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml
vendored
Executable file
@@ -0,0 +1,26 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostnamespaces2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
hostPID: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml
vendored
Executable file
31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml
vendored
Executable file
@@ -0,0 +1,31 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostpathvolumes0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- emptyDir: {}
|
||||
name: volume-emptydir
|
||||
- hostPath:
|
||||
path: /a
|
||||
name: volume-hostpath
|
||||
32
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml
vendored
Executable file
32
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml
vendored
Executable file
@@ -0,0 +1,32 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostpathvolumes1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /a
|
||||
name: volume-hostpath-a
|
||||
- hostPath:
|
||||
path: /b
|
||||
name: volume-hostpath-b
|
||||
28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml
vendored
Executable file
28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml
vendored
Executable file
@@ -0,0 +1,28 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
ports:
|
||||
- containerPort: 12345
|
||||
hostPort: 12345
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml
vendored
Executable file
28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml
vendored
Executable file
@@ -0,0 +1,28 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
ports:
|
||||
- containerPort: 12346
|
||||
hostPort: 12346
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
33
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml
vendored
Executable file
33
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml
vendored
Executable file
@@ -0,0 +1,33 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostports2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
ports:
|
||||
- containerPort: 12345
|
||||
hostPort: 12345
|
||||
- containerPort: 12347
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
ports:
|
||||
- containerPort: 12346
|
||||
hostPort: 12346
|
||||
- containerPort: 12348
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
host: bad.host
|
||||
port: 8080
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml
vendored
Executable file
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml
vendored
Executable file
@@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
host: 8.8.8.8
|
||||
port: 8080
|
||||
restartPolicy: Always
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml
vendored
Executable file
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml
vendored
Executable file
@@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle2
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
lifecycle:
|
||||
postStart:
|
||||
httpGet:
|
||||
host: bad.host
|
||||
port: 8080
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle3
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
host: 127.0.0.1
|
||||
port: 8080
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: hostprobesandhostlifecycle4
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
host: ::1
|
||||
port: 8080
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml
vendored
Executable file
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml
vendored
Executable file
@@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: privileged0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml
vendored
Executable file
25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml
vendored
Executable file
@@ -0,0 +1,25 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: privileged1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: true
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
procMount: Unmasked
|
||||
hostUsers: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
hostUsers: true
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
procMount: Unmasked
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount_restricted0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
procMount: Unmasked
|
||||
hostUsers: false
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml
vendored
Executable file
27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml
vendored
Executable file
@@ -0,0 +1,27 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: procmount_restricted1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
hostUsers: false
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
procMount: Unmasked
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: restrictedvolumes0
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- gcePersistentDisk:
|
||||
pdName: test
|
||||
name: volume1
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: restrictedvolumes1
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- awsElasticBlockStore:
|
||||
volumeID: test
|
||||
name: volume1
|
||||
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml
vendored
Executable file
29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml
vendored
Executable file
@@ -0,0 +1,29 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: restrictedvolumes10
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- flocker:
|
||||
datasetName: test
|
||||
name: volume1
|
||||
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml
vendored
Executable file
30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml
vendored
Executable file
@@ -0,0 +1,30 @@
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: restrictedvolumes11
|
||||
spec:
|
||||
containers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: container1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
initContainers:
|
||||
- image: registry.k8s.io/pause
|
||||
name: initcontainer1
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
volumes:
|
||||
- fc:
|
||||
wwids:
|
||||
- test
|
||||
name: volume1
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user