From e9d999d5c2ddbc07c79cac746deda8b2abde6071 Mon Sep 17 00:00:00 2001 From: Paco Xu Date: Mon, 23 Sep 2024 12:15:22 +0800 Subject: [PATCH] add PSA testdata 1.32 --- .../policy/check_sysctls.go | 23 ++--- .../k8s.io/pod-security-admission/test/run.go | 2 +- .../baseline/v1.32/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.32/fail/apparmorprofile1.yaml | 13 +++ .../v1.32/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.32/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.32/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.32/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.32/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.32/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.32/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.32/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.32/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.32/fail/hostports0.yaml | 14 +++ .../baseline/v1.32/fail/hostports1.yaml | 14 +++ .../baseline/v1.32/fail/hostports2.yaml | 19 ++++ .../baseline/v1.32/fail/privileged0.yaml | 15 +++ .../baseline/v1.32/fail/privileged1.yaml | 15 +++ .../baseline/v1.32/fail/procmount0.yaml | 16 +++ .../baseline/v1.32/fail/procmount1.yaml | 16 +++ .../v1.32/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.32/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.32/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.32/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.32/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.32/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.32/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.32/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.32/fail/sysctls0.yaml | 15 +++ .../v1.32/fail/windowshostprocess0.yaml | 19 ++++ .../v1.32/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.32/pass/apparmorprofile0.yaml | 13 +++ .../testdata/baseline/v1.32/pass/base.yaml | 11 +++ .../v1.32/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.32/pass/hostports0.yaml | 15 +++ .../baseline/v1.32/pass/privileged0.yaml | 16 +++ .../baseline/v1.32/pass/procmount0.yaml | 17 ++++ .../v1.32/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.32/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.32/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.32/pass/sysctls0.yaml | 12 +++ .../baseline/v1.32/pass/sysctls1.yaml | 17 ++++ .../v1.32/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.32/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.32/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.32/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.32/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.32/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.32/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.32/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.32/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.32/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.32/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.32/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.32/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.32/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.32/fail/hostnamespaces0.yaml | 26 +++++ .../v1.32/fail/hostnamespaces1.yaml | 26 +++++ .../v1.32/fail/hostnamespaces2.yaml | 26 +++++ .../v1.32/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.32/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.32/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.32/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.32/fail/hostports2.yaml | 33 +++++++ .../restricted/v1.32/fail/privileged0.yaml | 25 +++++ .../restricted/v1.32/fail/privileged1.yaml | 25 +++++ .../restricted/v1.32/fail/procmount0.yaml | 27 ++++++ .../restricted/v1.32/fail/procmount1.yaml | 27 ++++++ .../v1.32/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.32/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.32/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.32/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.32/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.32/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.32/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.32/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.32/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.32/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.32/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.32/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.32/fail/runasuser2.yaml | 26 +++++ .../v1.32/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.32/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.32/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.32/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.32/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.32/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.32/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.32/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.32/fail/sysctls0.yaml | 28 ++++++ .../v1.32/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.32/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.32/pass/apparmorprofile0.yaml | 27 ++++++ .../testdata/restricted/v1.32/pass/base.yaml | 25 +++++ .../restricted/v1.32/pass/base_linux.yaml | 27 ++++++ .../restricted/v1.32/pass/base_windows.yaml | 15 +++ .../v1.32/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.32/pass/hostports0.yaml | 29 ++++++ .../restricted/v1.32/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.32/pass/procmount0.yaml | 28 ++++++ .../v1.32/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.32/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.32/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.32/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.32/pass/selinuxoptions0.yaml | 26 +++++ .../v1.32/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.32/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.32/pass/sysctls1.yaml | 30 ++++++ 130 files changed, 3199 insertions(+), 18 deletions(-) create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes10.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes11.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes12.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes13.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes14.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes15.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes16.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes17.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes18.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes19.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes6.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes7.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes8.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes9.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_linux.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_windows.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls1.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go index a30ed907b2fb2..8e4935fdb07c6 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_sysctls.go @@ -90,30 +90,19 @@ var ( "net.ipv4.ping_group_range", "net.ipv4.ip_unprivileged_port_start", ) - sysctlsAllowedV1Dot27 = sets.NewString( - "kernel.shm_rmid_forced", - "net.ipv4.ip_local_port_range", - "net.ipv4.tcp_syncookies", - "net.ipv4.ping_group_range", - "net.ipv4.ip_unprivileged_port_start", - "net.ipv4.ip_local_reserved_ports", - ) - sysctlsAllowedV1Dot29 = sets.NewString( - "kernel.shm_rmid_forced", - "net.ipv4.ip_local_port_range", - "net.ipv4.tcp_syncookies", - "net.ipv4.ping_group_range", - "net.ipv4.ip_unprivileged_port_start", + sysctlsAllowedV1Dot27 = sysctlsAllowedV1Dot0.Union(sets.NewString( "net.ipv4.ip_local_reserved_ports", + )) + sysctlsAllowedV1Dot29 = sysctlsAllowedV1Dot27.Union(sets.NewString( "net.ipv4.tcp_keepalive_time", "net.ipv4.tcp_fin_timeout", "net.ipv4.tcp_keepalive_intvl", "net.ipv4.tcp_keepalive_probes", - ) - sysctlsAllowedV1Dot32 = sets.NewString( + )) + sysctlsAllowedV1Dot32 = sysctlsAllowedV1Dot29.Union(sets.NewString( "net.ipv4.tcp_rmem", "net.ipv4.tcp_wmem", - ) + )) ) func sysctlsV1Dot0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go index 56ccbf9e020ee..7470f89a1f8bc 100644 --- a/staging/src/k8s.io/pod-security-admission/test/run.go +++ b/staging/src/k8s.io/pod-security-admission/test/run.go @@ -37,7 +37,7 @@ import ( ) const ( - newestMinorVersionToTest = 31 + newestMinorVersionToTest = 32 podOSBasedRestrictionEnabledVersion = 29 ) diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml new file mode 100755 index 0000000000000..87475d347ddca --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml new file mode 100755 index 0000000000000..5940a639ec474 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000000000..e01a9dece8c49 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000000000..92239d17896d3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000000000..089d8c184c2e7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000000000..4befa1edbea17 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces0.yaml new file mode 100755 index 0000000000000..1c4ca9a560a1d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces1.yaml new file mode 100755 index 0000000000000..7967a6d50a990 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces2.yaml new file mode 100755 index 0000000000000..00039668cd205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000000000..7f026136fae16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000000000..382d27f4f4946 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports0.yaml new file mode 100755 index 0000000000000..ebfdcd48d0dee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports1.yaml new file mode 100755 index 0000000000000..d9a2b97af3a3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports2.yaml new file mode 100755 index 0000000000000..61b3388f0a75d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged0.yaml new file mode 100755 index 0000000000000..e5cc7b94fdd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged1.yaml new file mode 100755 index 0000000000000..31935b9955c18 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount0.yaml new file mode 100755 index 0000000000000..b443b30aa26c0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount1.yaml new file mode 100755 index 0000000000000..f5d907d544798 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000000000..f455958da8288 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000000000..8a86112acd10c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000000000..21822558178a2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions0.yaml new file mode 100755 index 0000000000000..f3307078cd7b5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions1.yaml new file mode 100755 index 0000000000000..6629d05efc43c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions2.yaml new file mode 100755 index 0000000000000..65876a92b6145 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions3.yaml new file mode 100755 index 0000000000000..71d89fbe572fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions4.yaml new file mode 100755 index 0000000000000..74e05cbb709a8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/sysctls0.yaml new file mode 100755 index 0000000000000..81508d69e60ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess0.yaml new file mode 100755 index 0000000000000..1e506b1f8037c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess1.yaml new file mode 100755 index 0000000000000..1a9d3e94a0ea8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/apparmorprofile0.yaml new file mode 100755 index 0000000000000..213a6a6c411c4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/base.yaml new file mode 100755 index 0000000000000..387a4be317071 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/capabilities_baseline0.yaml new file mode 100755 index 0000000000000..df93c1cd65200 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/hostports0.yaml new file mode 100755 index 0000000000000..61fddccdbbe1a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/privileged0.yaml new file mode 100755 index 0000000000000..0b64b687c7aea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/procmount0.yaml new file mode 100755 index 0000000000000..53468519b3209 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/seccompprofile_baseline0.yaml new file mode 100755 index 0000000000000..2e05d163254e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions0.yaml new file mode 100755 index 0000000000000..dafa4dbc3dec8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions1.yaml new file mode 100755 index 0000000000000..a2688f5c23efa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls0.yaml new file mode 100755 index 0000000000000..2148dc0867ebb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls1.yaml new file mode 100755 index 0000000000000..96eb717348941 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.32/pass/sysctls1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: net.ipv4.tcp_rmem + value: 4096 87380 16777216 + - name: net.ipv4.tcp_wmem + value: 4096 65536 16777216 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation0.yaml new file mode 100755 index 0000000000000..837b55acc9513 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation1.yaml new file mode 100755 index 0000000000000..6189466557900 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation2.yaml new file mode 100755 index 0000000000000..9302cc63494e1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation3.yaml new file mode 100755 index 0000000000000..083ce350f4e73 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile0.yaml new file mode 100755 index 0000000000000..14de67ea27c4e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile1.yaml new file mode 100755 index 0000000000000..0e4313b54219f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000000000..2be0164f3e157 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000000000..f68d6b3883069 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000000000..702bd87de6e9c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000000000..3e6aa463175b7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted0.yaml new file mode 100755 index 0000000000000..857c11b86bbd3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted1.yaml new file mode 100755 index 0000000000000..9c987673a0a6c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted2.yaml new file mode 100755 index 0000000000000..be25f6aeac1d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted3.yaml new file mode 100755 index 0000000000000..517cc3cbc2002 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces0.yaml new file mode 100755 index 0000000000000..c1a7b7a4ba928 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces1.yaml new file mode 100755 index 0000000000000..caa294e373c4a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces2.yaml new file mode 100755 index 0000000000000..32350899785db --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000000000..86745e64a08e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000000000..bc7759c203659 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports0.yaml new file mode 100755 index 0000000000000..9bf9055d9ee10 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports1.yaml new file mode 100755 index 0000000000000..ddecbf4925d86 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports2.yaml new file mode 100755 index 0000000000000..ed9f6920981d6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged0.yaml new file mode 100755 index 0000000000000..7ad39f5c045b8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged1.yaml new file mode 100755 index 0000000000000..cb41dcb3aa4dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount0.yaml new file mode 100755 index 0000000000000..25790769b1be3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount1.yaml new file mode 100755 index 0000000000000..04e86120075bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/procmount1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes0.yaml new file mode 100755 index 0000000000000..5a95336d26956 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes1.yaml new file mode 100755 index 0000000000000..153326fea893c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes10.yaml new file mode 100755 index 0000000000000..f34afe69ca897 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes11.yaml new file mode 100755 index 0000000000000..384e06f6b2301 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes12.yaml new file mode 100755 index 0000000000000..8757fbf7fb4ba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes13.yaml new file mode 100755 index 0000000000000..9e2086df359b5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes14.yaml new file mode 100755 index 0000000000000..d8b9605e4d152 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes15.yaml new file mode 100755 index 0000000000000..f3462ab7f43e6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes16.yaml new file mode 100755 index 0000000000000..d83daa6fcb142 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes17.yaml new file mode 100755 index 0000000000000..23f6b770e4644 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes18.yaml new file mode 100755 index 0000000000000..ca5d93f57fd30 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes19.yaml new file mode 100755 index 0000000000000..4ca4381bec973 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes2.yaml new file mode 100755 index 0000000000000..9154458079c12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes3.yaml new file mode 100755 index 0000000000000..f1060bc355198 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes4.yaml new file mode 100755 index 0000000000000..3a1447417e476 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes5.yaml new file mode 100755 index 0000000000000..e64cbe9ab50ce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes6.yaml new file mode 100755 index 0000000000000..4d596c9e4156e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes7.yaml new file mode 100755 index 0000000000000..c3887a35c1222 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes8.yaml new file mode 100755 index 0000000000000..e11afbbe8ec1d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes9.yaml new file mode 100755 index 0000000000000..8159a4858b96b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot0.yaml new file mode 100755 index 0000000000000..f460f659d94d3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot1.yaml new file mode 100755 index 0000000000000..285409793ea15 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot2.yaml new file mode 100755 index 0000000000000..067c7970fa7e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot3.yaml new file mode 100755 index 0000000000000..5459f294e0b5c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser0.yaml new file mode 100755 index 0000000000000..5f7c9e0f0055a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser1.yaml new file mode 100755 index 0000000000000..ff62334ead6b5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser2.yaml new file mode 100755 index 0000000000000..26c713497d0d0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000000000..0b875ce5f0194 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000000000..3e63c31668cde --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000000000..4cd99407164bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted0.yaml new file mode 100755 index 0000000000000..64b5604b5a4e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted1.yaml new file mode 100755 index 0000000000000..2ec3d48dfb6af --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted2.yaml new file mode 100755 index 0000000000000..c63c622a6add8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted3.yaml new file mode 100755 index 0000000000000..69c969f8a6819 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted4.yaml new file mode 100755 index 0000000000000..b17bf7648e41b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions0.yaml new file mode 100755 index 0000000000000..7135bb20b8e24 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions1.yaml new file mode 100755 index 0000000000000..c99b8a5ed4f6b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions2.yaml new file mode 100755 index 0000000000000..f2eafc2512bec --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions3.yaml new file mode 100755 index 0000000000000..1da063ebd1f16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions4.yaml new file mode 100755 index 0000000000000..a4a38fb6034a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/sysctls0.yaml new file mode 100755 index 0000000000000..841f73d238f5c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess0.yaml new file mode 100755 index 0000000000000..4262e6a5b8269 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess1.yaml new file mode 100755 index 0000000000000..ba1ce4a472f05 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/apparmorprofile0.yaml new file mode 100755 index 0000000000000..53ebdaa01393e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base.yaml new file mode 100755 index 0000000000000..3b4f3077dccd6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_linux.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_linux.yaml new file mode 100755 index 0000000000000..67563df702283 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_linux.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_linux +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + os: + name: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_windows.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_windows.yaml new file mode 100755 index 0000000000000..2bc48b4f6b734 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/base_windows.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_windows +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + os: + name: windows + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/capabilities_restricted0.yaml new file mode 100755 index 0000000000000..8a70cb3efdbd4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/hostports0.yaml new file mode 100755 index 0000000000000..e7f1153589429 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/privileged0.yaml new file mode 100755 index 0000000000000..8e3aafdd8f17c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/procmount0.yaml new file mode 100755 index 0000000000000..5db5a5c947a60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/procmount0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/restrictedvolumes0.yaml new file mode 100755 index 0000000000000..a11722485c5a7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot0.yaml new file mode 100755 index 0000000000000..414ac79b469e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot1.yaml new file mode 100755 index 0000000000000..549b013e53f8f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasuser0.yaml new file mode 100755 index 0000000000000..ed7aff0fa1229 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted0.yaml new file mode 100755 index 0000000000000..f904065ce466a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted1.yaml new file mode 100755 index 0000000000000..5a60fd7c59b62 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted2.yaml new file mode 100755 index 0000000000000..39d68e386b69b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions0.yaml new file mode 100755 index 0000000000000..a45080b742590 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions1.yaml new file mode 100755 index 0000000000000..0a8365605e96d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls0.yaml new file mode 100755 index 0000000000000..84224ffa94d65 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls1.yaml new file mode 100755 index 0000000000000..a066dc427693a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.32/pass/sysctls1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: net.ipv4.tcp_rmem + value: 4096 87380 16777216 + - name: net.ipv4.tcp_wmem + value: 4096 65536 16777216