Skip to content

Commit

Permalink
add PSA testdata 1.32
Browse files Browse the repository at this point in the history
  • Loading branch information
@pacoxu
pacoxu committed Oct 12, 2024
1 parent 97108d5 commit e9d999d
Show file tree
Hide file tree
Showing 130 changed files with 3,199 additions and 18 deletions.
23 changes: 6 additions & 17 deletions staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,30 +90,19 @@ var (
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
)
sysctlsAllowedV1Dot27 = sets.NewString(
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
"net.ipv4.ip_local_reserved_ports",
)
sysctlsAllowedV1Dot29 = sets.NewString(
"kernel.shm_rmid_forced",
"net.ipv4.ip_local_port_range",
"net.ipv4.tcp_syncookies",
"net.ipv4.ping_group_range",
"net.ipv4.ip_unprivileged_port_start",
sysctlsAllowedV1Dot27 = sysctlsAllowedV1Dot0.Union(sets.NewString(
"net.ipv4.ip_local_reserved_ports",
))
sysctlsAllowedV1Dot29 = sysctlsAllowedV1Dot27.Union(sets.NewString(
"net.ipv4.tcp_keepalive_time",
"net.ipv4.tcp_fin_timeout",
"net.ipv4.tcp_keepalive_intvl",
"net.ipv4.tcp_keepalive_probes",
)
sysctlsAllowedV1Dot32 = sets.NewString(
))
sysctlsAllowedV1Dot32 = sysctlsAllowedV1Dot29.Union(sets.NewString(
"net.ipv4.tcp_rmem",
"net.ipv4.tcp_wmem",
)
))
)

func sysctlsV1Dot0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
Expand Down
2 changes: 1 addition & 1 deletion staging/src/k8s.io/pod-security-admission/test/run.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ import (
)

const (
newestMinorVersionToTest = 31
newestMinorVersionToTest = 32
podOSBasedRestrictionEnabledVersion = 29
)

Expand Down
13 changes: 13 additions & 0 deletions ...src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
13 changes: 13 additions & 0 deletions ...src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
18 changes: 18 additions & 0 deletions ...s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- NET_RAW
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}
18 changes: 18 additions & 0 deletions ...s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- NET_RAW
securityContext: {}
18 changes: 18 additions & 0 deletions ...s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- chown
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}
18 changes: 18 additions & 0 deletions ...s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline3.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
capabilities:
add:
- CAP_CHOWN
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}
12 changes: 12 additions & 0 deletions .../src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostIPC: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
12 changes: 12 additions & 0 deletions .../src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostNetwork: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
12 changes: 12 additions & 0 deletions .../src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
hostPID: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
17 changes: 17 additions & 0 deletions ...src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath
18 changes: 18 additions & 0 deletions ...src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b
14 changes: 14 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
14 changes: 14 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
19 changes: 19 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348
15 changes: 15 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
privileged: true
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}
15 changes: 15 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
privileged: true
securityContext: {}
16 changes: 16 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
procMount: Unmasked
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}
16 changes: 16 additions & 0 deletions staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
hostUsers: false
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}
16 changes: 16 additions & 0 deletions ...io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline0.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: Unconfined
16 changes: 16 additions & 0 deletions ...io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline1.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext:
seccompProfile:
type: Unconfined
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}
16 changes: 16 additions & 0 deletions ...io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline2.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: registry.k8s.io/pause
name: container1
securityContext: {}
initContainers:
- image: registry.k8s.io/pause
name: initcontainer1
securityContext:
seccompProfile:
type: Unconfined
securityContext: {}
Loading

0 comments on commit e9d999d

Please sign in to comment.