From b3a2e6a3f4c72cbb15f3f534ea562000b69372ce Mon Sep 17 00:00:00 2001 From: ravisantoshgudimetla Date: Tue, 26 Oct 2021 16:06:06 -0400 Subject: [PATCH 1/2] [podsecurity] OS based updates to restricted standard --- .../policy/check_allowPrivilegeEscalation.go | 14 +++ .../check_allowPrivilegeEscalation_test.go | 61 ++++++++++- .../policy/check_capabilities_restricted.go | 15 +++ .../check_capabilities_restricted_test.go | 57 +++++++++- .../policy/check_seccompProfile_restricted.go | 17 +++ .../check_seccompProfile_restricted_test.go | 100 +++++++++++++++++- 6 files changed, 261 insertions(+), 3 deletions(-) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go index 496b746d0a50..d531612a1e58 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation.go @@ -52,6 +52,11 @@ func CheckAllowPrivilegeEscalation() Check { MinimumVersion: api.MajorMinorVersion(1, 8), CheckPod: allowPrivilegeEscalation_1_8, }, + { + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: allowPrivilegeEscalation_1_25, + }, }, } } @@ -77,3 +82,12 @@ func allowPrivilegeEscalation_1_8(podMetadata *metav1.ObjectMeta, podSpec *corev } return CheckResult{Allowed: true} } + +func allowPrivilegeEscalation_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if privilegeEscalation has been set. + // We can admit the Windows pod even if privilegeEscalation has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return allowPrivilegeEscalation_1_8(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go index bed26d28cabe..702f49512c94 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_allowPrivilegeEscalation_test.go @@ -23,7 +23,66 @@ import ( utilpointer "k8s.io/utils/pointer" ) -func TestAllowPrivilegeEscalation(t *testing.T) { +func TestAllowPrivilegeEscalation_1_25(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + allowed bool + }{ + { + name: "multiple containers", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a"}, + {Name: "b", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: nil}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(true)}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{AllowPrivilegeEscalation: utilpointer.Bool(false)}}, + }}}, + expectReason: `allowPrivilegeEscalation != false`, + expectDetail: `containers "a", "b", "c" must set securityContext.allowPrivilegeEscalation=false`, + allowed: false, + }, + { + name: "windows pod, admit without checking privilegeEscalation", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + allowed: true, + }, + { + name: "linux pod, reject if security context is not set", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + expectReason: `allowPrivilegeEscalation != false`, + expectDetail: `container "a" must set securityContext.allowPrivilegeEscalation=false`, + allowed: false, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := allowPrivilegeEscalation_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } +} + +func TestAllowPrivilegeEscalation_1_8(t *testing.T) { tests := []struct { name string pod *corev1.Pod diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go index 48b1ea897b58..9d70b0304abc 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted.go @@ -66,6 +66,12 @@ func CheckCapabilitiesRestricted() Check { CheckPod: capabilitiesRestricted_1_22, OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID}, }, + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + { + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: capabilitiesRestricted_1_25, + OverrideCheckIDs: []CheckID{checkCapabilitiesBaselineID}, + }, }, } } @@ -128,3 +134,12 @@ func capabilitiesRestricted_1_22(podMetadata *metav1.ObjectMeta, podSpec *corev1 } return CheckResult{Allowed: true} } + +func capabilitiesRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if capabilities have been set. + // We can admit the Windows pod even if capabilities has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return capabilitiesRestricted_1_22(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go index 4e6dcd6e3180..10528293aefe 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_capabilities_restricted_test.go @@ -22,12 +22,13 @@ import ( corev1 "k8s.io/api/core/v1" ) -func TestCapabilitiesRestricted(t *testing.T) { +func TestCapabilitiesRestricted_1_25(t *testing.T) { tests := []struct { name string pod *corev1.Pod expectReason string expectDetail string + allowed bool }{ { name: "multiple containers", @@ -40,8 +41,62 @@ func TestCapabilitiesRestricted(t *testing.T) { expectReason: `unrestricted capabilities`, expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`, }, + { + name: "windows pod, admit without checking capabilities", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + allowed: true, + }, + { + name: "linux pod, reject if security context is not set", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }}}, + expectReason: `unrestricted capabilities`, + expectDetail: `container "a" must set securityContext.capabilities.drop=["ALL"]`, + allowed: false, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := capabilitiesRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) } +} +func TestCapabilitiesRestricted_1_22(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + }{ + { + name: "multiple containers", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"FOO", "BAR"}}}}, + {Name: "b", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"BAR", "BAZ"}}}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{Capabilities: &corev1.Capabilities{Add: []corev1.Capability{"NET_BIND_SERVICE", "CHOWN"}, Drop: []corev1.Capability{"ALL", "FOO"}}}}, + }}}, + expectReason: `unrestricted capabilities`, + expectDetail: `containers "a", "b" must set securityContext.capabilities.drop=["ALL"]; containers "a", "b", "c" must not include "BAR", "BAZ", "CHOWN", "FOO" in securityContext.capabilities.add`, + }, + } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { result := capabilitiesRestricted_1_22(&tc.pod.ObjectMeta, &tc.pod.Spec) diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go index 1a8535a0f373..9040e0fb05a9 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted.go @@ -55,6 +55,12 @@ func CheckSeccompProfileRestricted() Check { CheckPod: seccompProfileRestricted_1_19, OverrideCheckIDs: []CheckID{checkSeccompBaselineID}, }, + // Starting 1.25, windows pods would be exempted from this check using pod.spec.os field when set to windows. + { + MinimumVersion: api.MajorMinorVersion(1, 25), + CheckPod: seccompProfileRestricted_1_25, + OverrideCheckIDs: []CheckID{checkSeccompBaselineID}, + }, }, } } @@ -136,3 +142,14 @@ func seccompProfileRestricted_1_19(podMetadata *metav1.ObjectMeta, podSpec *core return CheckResult{Allowed: true} } + +// seccompProfileRestricted_1_25 checks restricted policy on securityContext.seccompProfile field for kubernetes +// version 1.25 and above +func seccompProfileRestricted_1_25(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + // Pod API validation would have failed if podOS == Windows and if secCompProfile has been set. + // We can admit the Windows pod even if seccompProfile has not been set. + if podSpec.OS != nil && podSpec.OS.Name == corev1.Windows { + return CheckResult{Allowed: true} + } + return seccompProfileRestricted_1_19(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go index fec506bd5272..49656204788c 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccompProfile_restricted_test.go @@ -22,7 +22,105 @@ import ( corev1 "k8s.io/api/core/v1" ) -func TestSeccompProfileRestricted(t *testing.T) { +func TestSeccompProfileRestricted_1_25(t *testing.T) { + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + allowed bool + }{ + { + name: "no explicit seccomp", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + }, + { + name: "no explicit seccomp, windows Pod", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Windows}, + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + allowed: true, + }, + { + name: "no explicit seccomp, linux pod", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + OS: &corev1.PodOS{Name: corev1.Linux}, + Containers: []corev1.Container{ + {Name: "a"}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or container "a" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + allowed: false, + }, + { + name: "pod seccomp invalid", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}, + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod must not set securityContext.seccompProfile.type to "Unconfined"`, + }, + { + name: "containers seccomp invalid", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + SecurityContext: &corev1.PodSecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}, + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + {Name: "b", SecurityContext: &corev1.SecurityContext{}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeUnconfined}}}, + {Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + {Name: "f", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `containers "c", "d" must not set securityContext.seccompProfile.type to "Unconfined"`, + }, + { + name: "pod nil, container fallthrough", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + {Name: "b", SecurityContext: &corev1.SecurityContext{}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + {Name: "e", SecurityContext: &corev1.SecurityContext{SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}}}, + }, + }}, + expectReason: `seccompProfile`, + expectDetail: `pod or containers "a", "b" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost"`, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result := seccompProfileRestricted_1_25(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed && !tc.allowed { + t.Fatal("expected disallowed") + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } +} + +func TestSeccompProfileRestricted_1_19(t *testing.T) { tests := []struct { name string pod *corev1.Pod From 96950f5f796c72ba525026d6c8b2f3809314b33b Mon Sep 17 00:00:00 2001 From: Ravi Gudimetla Date: Wed, 13 Jul 2022 20:05:38 -0400 Subject: [PATCH 2/2] Update test fixtures --- .../pod-security-admission/test/fixtures.go | 73 +++++++++++++- .../test/fixtures_allowPrivilegeEscalation.go | 3 + .../test/fixtures_test.go | 20 +++- .../k8s.io/pod-security-admission/test/run.go | 57 +++++++++-- .../baseline/v1.24/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.24/fail/apparmorprofile1.yaml | 13 +++ .../v1.24/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.24/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.24/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.24/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.24/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.24/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.24/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.24/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.24/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.24/fail/hostports0.yaml | 14 +++ .../baseline/v1.24/fail/hostports1.yaml | 14 +++ .../baseline/v1.24/fail/hostports2.yaml | 19 ++++ .../baseline/v1.24/fail/privileged0.yaml | 15 +++ .../baseline/v1.24/fail/privileged1.yaml | 15 +++ .../baseline/v1.24/fail/procmount0.yaml | 15 +++ .../baseline/v1.24/fail/procmount1.yaml | 15 +++ .../v1.24/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.24/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.24/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.24/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.24/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.24/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.24/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.24/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.24/fail/sysctls0.yaml | 15 +++ .../v1.24/fail/windowshostprocess0.yaml | 19 ++++ .../v1.24/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.24/pass/apparmorprofile0.yaml | 13 +++ .../testdata/baseline/v1.24/pass/base.yaml | 11 +++ .../v1.24/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.24/pass/hostports0.yaml | 15 +++ .../baseline/v1.24/pass/privileged0.yaml | 16 +++ .../baseline/v1.24/pass/procmount0.yaml | 16 +++ .../v1.24/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.24/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.24/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.24/pass/sysctls0.yaml | 12 +++ .../baseline/v1.24/pass/sysctls1.yaml | 23 +++++ .../baseline/v1.25/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.25/fail/apparmorprofile1.yaml | 13 +++ .../v1.25/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.25/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.25/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.25/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.25/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.25/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.25/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.25/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.25/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.25/fail/hostports0.yaml | 14 +++ .../baseline/v1.25/fail/hostports1.yaml | 14 +++ .../baseline/v1.25/fail/hostports2.yaml | 19 ++++ .../baseline/v1.25/fail/privileged0.yaml | 15 +++ .../baseline/v1.25/fail/privileged1.yaml | 15 +++ .../baseline/v1.25/fail/procmount0.yaml | 15 +++ .../baseline/v1.25/fail/procmount1.yaml | 15 +++ .../v1.25/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.25/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.25/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.25/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.25/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.25/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.25/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.25/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.25/fail/sysctls0.yaml | 15 +++ .../v1.25/fail/windowshostprocess0.yaml | 19 ++++ .../v1.25/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.25/pass/apparmorprofile0.yaml | 13 +++ .../testdata/baseline/v1.25/pass/base.yaml | 11 +++ .../v1.25/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.25/pass/hostports0.yaml | 15 +++ .../baseline/v1.25/pass/privileged0.yaml | 16 +++ .../baseline/v1.25/pass/procmount0.yaml | 16 +++ .../v1.25/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.25/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.25/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.25/pass/sysctls0.yaml | 12 +++ .../baseline/v1.25/pass/sysctls1.yaml | 23 +++++ .../v1.24/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.24/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.24/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.24/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.24/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.24/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.24/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.24/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.24/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.24/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.24/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.24/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.24/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.24/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.24/fail/hostnamespaces0.yaml | 26 +++++ .../v1.24/fail/hostnamespaces1.yaml | 26 +++++ .../v1.24/fail/hostnamespaces2.yaml | 26 +++++ .../v1.24/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.24/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.24/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.24/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.24/fail/hostports2.yaml | 33 +++++++ .../restricted/v1.24/fail/privileged0.yaml | 25 +++++ .../restricted/v1.24/fail/privileged1.yaml | 25 +++++ .../restricted/v1.24/fail/procmount0.yaml | 26 +++++ .../restricted/v1.24/fail/procmount1.yaml | 26 +++++ .../v1.24/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.24/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.24/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.24/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.24/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.24/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.24/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.24/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.24/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.24/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.24/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.24/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.24/fail/runasuser2.yaml | 26 +++++ .../v1.24/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.24/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.24/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.24/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.24/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.24/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.24/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.24/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.24/fail/sysctls0.yaml | 28 ++++++ .../v1.24/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.24/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.24/pass/apparmorprofile0.yaml | 27 ++++++ .../testdata/restricted/v1.24/pass/base.yaml | 25 +++++ .../v1.24/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.24/pass/hostports0.yaml | 29 ++++++ .../restricted/v1.24/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.24/pass/procmount0.yaml | 27 ++++++ .../v1.24/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.24/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.24/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.24/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.24/pass/selinuxoptions0.yaml | 26 +++++ .../v1.24/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.24/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.24/pass/sysctls1.yaml | 36 +++++++ .../v1.25/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.25/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.25/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.25/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.25/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.25/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.25/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.25/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.25/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.25/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.25/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.25/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.25/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.25/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.25/fail/hostnamespaces0.yaml | 26 +++++ .../v1.25/fail/hostnamespaces1.yaml | 26 +++++ .../v1.25/fail/hostnamespaces2.yaml | 26 +++++ .../v1.25/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.25/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.25/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.25/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.25/fail/hostports2.yaml | 33 +++++++ .../restricted/v1.25/fail/privileged0.yaml | 25 +++++ .../restricted/v1.25/fail/privileged1.yaml | 25 +++++ .../restricted/v1.25/fail/procmount0.yaml | 26 +++++ .../restricted/v1.25/fail/procmount1.yaml | 26 +++++ .../v1.25/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.25/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.25/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.25/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.25/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.25/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.25/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.25/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.25/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.25/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.25/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.25/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.25/fail/runasuser2.yaml | 26 +++++ .../v1.25/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.25/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.25/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.25/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.25/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.25/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.25/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.25/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.25/fail/sysctls0.yaml | 28 ++++++ .../v1.25/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.25/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.25/pass/apparmorprofile0.yaml | 27 ++++++ .../testdata/restricted/v1.25/pass/base.yaml | 25 +++++ .../restricted/v1.25/pass/base_linux.yaml | 27 ++++++ .../restricted/v1.25/pass/base_windows.yaml | 15 +++ .../v1.25/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.25/pass/hostports0.yaml | 29 ++++++ .../restricted/v1.25/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.25/pass/procmount0.yaml | 27 ++++++ .../v1.25/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.25/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.25/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.25/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.25/pass/selinuxoptions0.yaml | 26 +++++ .../v1.25/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.25/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.25/pass/sysctls1.yaml | 36 +++++++ 258 files changed, 6494 insertions(+), 13 deletions(-) create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes10.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes11.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes12.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes13.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes14.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes15.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes16.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes17.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes18.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes19.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes6.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes7.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes8.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes9.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes10.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes11.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes12.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes13.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes14.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes15.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes16.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes17.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes18.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes19.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes6.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes7.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes8.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes9.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls1.yaml diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures.go b/staging/src/k8s.io/pod-security-admission/test/fixtures.go index 4d00397a0cb5..e3be0e861c49 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures.go @@ -26,14 +26,37 @@ import ( "k8s.io/utils/pointer" ) -// minimalValidPods holds minimal valid pods per-level per-version. +// minimalValidPods holds minimal valid OS neutral pods per-level per-version. // To get a valid pod for a particular level/version, use getMinimalValidPod(). var minimalValidPods = map[api.Level]map[api.Version]*corev1.Pod{} +// minimalValidLinuxPods holds minimal valid linux pods per-level per-version. +// To get a valid pod for a particular level/version, use getMinimalValidPod(). +var minimalValidLinuxPods = map[api.Level]map[api.Version]*corev1.Pod{} + +// minimalValidWindowsPods holds minimal valid Windows pods per-level per-version. +// To get a valid pod for a particular level/version, use getMinimalValidPod(). +var minimalValidWindowsPods = map[api.Level]map[api.Version]*corev1.Pod{} + +func addLinux(pod *corev1.Pod) *corev1.Pod { + copyPod := pod.DeepCopy() + copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Linux} + return copyPod +} + +func addWindows(pod *corev1.Pod) *corev1.Pod { + copyPod := pod.DeepCopy() + copyPod.Spec.OS = &corev1.PodOS{Name: corev1.Windows} + return copyPod +} + func init() { + // These are the OS neutral pods minimalValidPods[api.LevelBaseline] = map[api.Version]*corev1.Pod{} minimalValidPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{} + minimalValidLinuxPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{} + minimalValidWindowsPods[api.LevelRestricted] = map[api.Version]*corev1.Pod{} // Define minimal valid baseline pod. // This must remain valid for all versions. baseline_1_0 := &corev1.Pod{Spec: corev1.PodSpec{ @@ -50,6 +73,8 @@ func init() { p.Spec.SecurityContext = &corev1.PodSecurityContext{RunAsNonRoot: pointer.BoolPtr(true)} }) minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = restricted_1_0 + minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addLinux(restricted_1_0) + minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 0)] = addWindows(restricted_1_0) // 1.8+: allowPrivilegeEscalation=false restricted_1_8 := tweak(restricted_1_0, func(p *corev1.Pod) { @@ -57,6 +82,8 @@ func init() { p.Spec.InitContainers[0].SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: pointer.BoolPtr(false)} }) minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = restricted_1_8 + minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addLinux(restricted_1_8) + minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = addWindows(restricted_1_8) // 1.19+: seccompProfile.type=RuntimeDefault restricted_1_19 := tweak(restricted_1_8, func(p *corev1.Pod) { @@ -66,6 +93,8 @@ func init() { } }) minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = restricted_1_19 + minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addLinux(restricted_1_19) + minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = addWindows(restricted_1_19) // 1.22+: capabilities.drop=["ALL"] restricted_1_22 := tweak(restricted_1_19, func(p *corev1.Pod) { @@ -73,9 +102,19 @@ func init() { p.Spec.InitContainers[0].SecurityContext.Capabilities = &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}} }) minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = restricted_1_22 + minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addLinux(restricted_1_22) + minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 22)] = addWindows(restricted_1_22) + + // 1.25+: OS specific changes + minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_22 + minimalValidLinuxPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = addLinux(restricted_1_22) + // none of the restricted requirements added between 1.0 and 1.25 apply to the pods that are explicitly Windows + restricted_1_25_windows := addWindows(restricted_1_0) + minimalValidWindowsPods[api.LevelRestricted][api.MajorMinorVersion(1, 25)] = restricted_1_25_windows + } -// GetMinimalValidPod returns a minimal valid pod for the specified level and version. +// GetMinimalValidPod returns a minimal valid OS neutral pod for the specified level and version. func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, error) { originalVersion := version for { @@ -90,6 +129,36 @@ func GetMinimalValidPod(level api.Level, version api.Version) (*corev1.Pod, erro } } +// GetMinimalValidLinuxPod returns a minimal valid linux pod for the specified level and version. +func GetMinimalValidLinuxPod(level api.Level, version api.Version) (*corev1.Pod, error) { + originalVersion := version + for { + pod, exists := minimalValidLinuxPods[level][version] + if exists { + return pod.DeepCopy(), nil + } + if version.Minor() <= 0 { + return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String()) + } + version = api.MajorMinorVersion(version.Major(), version.Minor()-1) + } +} + +// GetMinimalValidWindowsPod returns a minimal valid windows pod for the specified level and version. +func GetMinimalValidWindowsPod(level api.Level, version api.Version) (*corev1.Pod, error) { + originalVersion := version + for { + pod, exists := minimalValidWindowsPods[level][version] + if exists { + return pod.DeepCopy(), nil + } + if version.Minor() <= 0 { + return nil, fmt.Errorf("no valid pod fixture found in specified or older versions for %s/%s", level, originalVersion.String()) + } + version = api.MajorMinorVersion(version.Major(), version.Minor()-1) + } +} + // fixtureGenerators holds fixture generators per-level per-version. // To add generators, use registerFixtureGenerator(). // To get fixtures for a particular level/version, use getFixtures(). diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go index 94c2494deb4a..b2ce114e5daf 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_allowPrivilegeEscalation.go @@ -38,6 +38,9 @@ func init() { return nil }, generateFail: func(p *corev1.Pod) []*corev1.Pod { + if p.Spec.OS != nil && p.Spec.OS.Name == corev1.Windows { + return []*corev1.Pod{} + } return []*corev1.Pod{ // explicit true tweak(p, func(p *corev1.Pod) { diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_test.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_test.go index 959ab0d18f10..28be202cceec 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_test.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_test.go @@ -46,8 +46,6 @@ func TestFixtures(t *testing.T) { defaultChecks := policy.DefaultChecks() - const newestMinorVersionToTest = 23 - policyVersions := computeVersionsToTest(t, defaultChecks) newestMinorVersionWithPolicyChanges := policyVersions[len(policyVersions)-1].Minor() @@ -61,11 +59,25 @@ func TestFixtures(t *testing.T) { failDir := filepath.Join("testdata", string(level), fmt.Sprintf("v1.%d", version), "fail") // render the minimal valid pod fixture - validPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version)) + osNeutralPod, err := GetMinimalValidPod(level, api.MajorMinorVersion(1, version)) if err != nil { t.Fatal(err) } - expectedFiles.Insert(testFixtureFile(t, passDir, "base", validPod)) + expectedFiles.Insert(testFixtureFile(t, passDir, "base", osNeutralPod)) + // Don't generate OS specific pods when version < 1.25 as pod os field based restriction is not enabled. + if level == api.LevelRestricted && version >= podOSBasedRestrictionEnabledVersion { + linuxPod, err := GetMinimalValidLinuxPod(level, api.MajorMinorVersion(1, version)) + if err != nil { + t.Fatal(err) + } + expectedFiles.Insert(testFixtureFile(t, passDir, "base_linux", linuxPod)) + + windowsPod, err := GetMinimalValidWindowsPod(level, api.MajorMinorVersion(1, version)) + if err != nil { + t.Fatal(err) + } + expectedFiles.Insert(testFixtureFile(t, passDir, "base_windows", windowsPod)) + } // render check-specific fixtures checkIDs, err := checksForLevelAndVersion(defaultChecks, level, api.MajorMinorVersion(1, version)) diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go index ea7ea01507b9..3c1fdd81938c 100644 --- a/staging/src/k8s.io/pod-security-admission/test/run.go +++ b/staging/src/k8s.io/pod-security-admission/test/run.go @@ -36,6 +36,11 @@ import ( "k8s.io/pod-security-admission/policy" ) +const ( + newestMinorVersionToTest = 25 + podOSBasedRestrictionEnabledVersion = 25 +) + // Options hold configuration for running integration tests against an existing server. type Options struct { // ClientConfig is a client configuration with sufficient permission to create, update, and delete @@ -115,13 +120,28 @@ func computeVersionsToTest(t *testing.T, checks []policy.Check) []api.Version { } } + for _, versionsForLevel := range minimalValidLinuxPods { + for version := range versionsForLevel { + if version.Major() != 1 { + t.Fatalf("expected major version 1, got %d", version.Major()) + } + seenVersions[version] = true + } + } + + for _, versionsForLevel := range minimalValidWindowsPods { + for version := range versionsForLevel { + if version.Major() != 1 { + t.Fatalf("expected major version 1, got %d", version.Major()) + } + seenVersions[version] = true + } + } + alwaysIncludeVersions := []api.Version{ // include the oldest version by default api.MajorMinorVersion(1, 0), - // include the release under development (1.23 at time of writing). - // this can be incremented to the current version whenever is convenient. - // TODO: find a way to use api.LatestVersion() here - api.MajorMinorVersion(1, 23), + api.MajorMinorVersion(1, newestMinorVersionToTest), } for _, version := range alwaysIncludeVersions { seenVersions[version] = true @@ -296,13 +316,36 @@ func Run(t *testing.T, opts Options) { } } - minimalValidPod, err := GetMinimalValidPod(level, version) + minimalValidOSNeutralPod, err := GetMinimalValidPod(level, version) if err != nil { t.Fatal(err) } + var minimalValidLinuxPod, minimalValidWindowsPod *corev1.Pod + if level == api.LevelRestricted && version.Minor() >= podOSBasedRestrictionEnabledVersion { + minimalValidLinuxPod, err = GetMinimalValidLinuxPod(level, version) + if err != nil { + t.Fatal(err) + } + + minimalValidWindowsPod, err = GetMinimalValidWindowsPod(level, version) + if err != nil { + t.Fatal(err) + } + } + t.Run(ns+"_pass_base", func(t *testing.T) { - createPod(t, 0, minimalValidPod.DeepCopy(), true, "") - createController(t, 0, minimalValidPod.DeepCopy(), true, "") + createPod(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "") + createController(t, 0, minimalValidOSNeutralPod.DeepCopy(), true, "") + if minimalValidLinuxPod != nil && minimalValidWindowsPod != nil { + // Linux specific pods + createPod(t, 0, minimalValidLinuxPod.DeepCopy(), true, "") + createController(t, 0, minimalValidLinuxPod.DeepCopy(), true, "") + + // Windows specific pods + createPod(t, 0, minimalValidWindowsPod.DeepCopy(), true, "") + createController(t, 0, minimalValidWindowsPod.DeepCopy(), true, "") + } + }) checkIDs, err := checksForLevelAndVersion(opts.Checks, level, version) diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile0.yaml new file mode 100755 index 000000000000..d9701544a076 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile1.yaml new file mode 100755 index 000000000000..2fb92eb0de23 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline0.yaml new file mode 100755 index 000000000000..975bdfa020be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline1.yaml new file mode 100755 index 000000000000..01d1d853f75a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline2.yaml new file mode 100755 index 000000000000..3bf7f7c95779 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline3.yaml new file mode 100755 index 000000000000..88a8c9fb5224 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces0.yaml new file mode 100755 index 000000000000..25b430dce60d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostIPC: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces1.yaml new file mode 100755 index 000000000000..6de254c098cc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces2.yaml new file mode 100755 index 000000000000..715029bdd5b8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostPID: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes0.yaml new file mode 100755 index 000000000000..36ef015553d8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes1.yaml new file mode 100755 index 000000000000..a47c2a04ac12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports0.yaml new file mode 100755 index 000000000000..3477c38ec93d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports1.yaml new file mode 100755 index 000000000000..9388dc7ba212 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports2.yaml new file mode 100755 index 000000000000..d68177965538 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged0.yaml new file mode 100755 index 000000000000..71a106ad0c03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged1.yaml new file mode 100755 index 000000000000..6c2336d227dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount0.yaml new file mode 100755 index 000000000000..5848806ee43d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount1.yaml new file mode 100755 index 000000000000..c802fb846175 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..6eb383a9d9f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline1.yaml new file mode 100755 index 000000000000..1d30e745cd5c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline2.yaml new file mode 100755 index 000000000000..d1fe1d3c4225 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions0.yaml new file mode 100755 index 000000000000..47df3a41955e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions1.yaml new file mode 100755 index 000000000000..26940d71c9d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions2.yaml new file mode 100755 index 000000000000..edea17e7a3bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions3.yaml new file mode 100755 index 000000000000..64b797a6fabb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions4.yaml new file mode 100755 index 000000000000..f34e012ced56 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/sysctls0.yaml new file mode 100755 index 000000000000..399f09abdd6a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess0.yaml new file mode 100755 index 000000000000..806351a1ce0c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess1.yaml new file mode 100755 index 000000000000..045ae94e9af1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/apparmorprofile0.yaml new file mode 100755 index 000000000000..e0c5317d58c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/base.yaml new file mode 100755 index 000000000000..acd9c046ec78 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/capabilities_baseline0.yaml new file mode 100755 index 000000000000..a2b8a9276b5d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/hostports0.yaml new file mode 100755 index 000000000000..13cb046b9014 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/privileged0.yaml new file mode 100755 index 000000000000..765eaec4fc6e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/procmount0.yaml new file mode 100755 index 000000000000..70345187f9c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..d18990c9a9b5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions0.yaml new file mode 100755 index 000000000000..1fbc94471d0c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions1.yaml new file mode 100755 index 000000000000..3ff37cc0b5fa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls0.yaml new file mode 100755 index 000000000000..221a8da2afe7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls1.yaml new file mode 100755 index 000000000000..13adc0c3651f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.24/pass/sysctls1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile0.yaml new file mode 100755 index 000000000000..d9701544a076 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile1.yaml new file mode 100755 index 000000000000..2fb92eb0de23 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline0.yaml new file mode 100755 index 000000000000..975bdfa020be --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline1.yaml new file mode 100755 index 000000000000..01d1d853f75a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline2.yaml new file mode 100755 index 000000000000..3bf7f7c95779 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline3.yaml new file mode 100755 index 000000000000..88a8c9fb5224 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces0.yaml new file mode 100755 index 000000000000..25b430dce60d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostIPC: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces1.yaml new file mode 100755 index 000000000000..6de254c098cc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces2.yaml new file mode 100755 index 000000000000..715029bdd5b8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + hostPID: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes0.yaml new file mode 100755 index 000000000000..36ef015553d8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes1.yaml new file mode 100755 index 000000000000..a47c2a04ac12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports0.yaml new file mode 100755 index 000000000000..3477c38ec93d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports1.yaml new file mode 100755 index 000000000000..9388dc7ba212 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports2.yaml new file mode 100755 index 000000000000..d68177965538 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged0.yaml new file mode 100755 index 000000000000..71a106ad0c03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged1.yaml new file mode 100755 index 000000000000..6c2336d227dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount0.yaml new file mode 100755 index 000000000000..5848806ee43d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount1.yaml new file mode 100755 index 000000000000..c802fb846175 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/procmount1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..6eb383a9d9f2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline1.yaml new file mode 100755 index 000000000000..1d30e745cd5c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline2.yaml new file mode 100755 index 000000000000..d1fe1d3c4225 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions0.yaml new file mode 100755 index 000000000000..47df3a41955e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions1.yaml new file mode 100755 index 000000000000..26940d71c9d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions2.yaml new file mode 100755 index 000000000000..edea17e7a3bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions3.yaml new file mode 100755 index 000000000000..64b797a6fabb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions4.yaml new file mode 100755 index 000000000000..f34e012ced56 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/sysctls0.yaml new file mode 100755 index 000000000000..399f09abdd6a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess0.yaml new file mode 100755 index 000000000000..806351a1ce0c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess1.yaml new file mode 100755 index 000000000000..045ae94e9af1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/apparmorprofile0.yaml new file mode 100755 index 000000000000..e0c5317d58c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/base.yaml new file mode 100755 index 000000000000..acd9c046ec78 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/capabilities_baseline0.yaml new file mode 100755 index 000000000000..a2b8a9276b5d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/hostports0.yaml new file mode 100755 index 000000000000..13cb046b9014 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/privileged0.yaml new file mode 100755 index 000000000000..765eaec4fc6e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/procmount0.yaml new file mode 100755 index 000000000000..70345187f9c7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..d18990c9a9b5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions0.yaml new file mode 100755 index 000000000000..1fbc94471d0c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions1.yaml new file mode 100755 index 000000000000..3ff37cc0b5fa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls0.yaml new file mode 100755 index 000000000000..221a8da2afe7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls1.yaml new file mode 100755 index 000000000000..13adc0c3651f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.25/pass/sysctls1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation0.yaml new file mode 100755 index 000000000000..dbc4c4f9fca5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation1.yaml new file mode 100755 index 000000000000..86064ec7e8d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation2.yaml new file mode 100755 index 000000000000..026ad36e1560 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation3.yaml new file mode 100755 index 000000000000..da7f59c24145 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile0.yaml new file mode 100755 index 000000000000..c4625d2f3b9e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile1.yaml new file mode 100755 index 000000000000..9fe2545d387c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline0.yaml new file mode 100755 index 000000000000..e1aeb36d0dd3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline1.yaml new file mode 100755 index 000000000000..f1cbd89432b6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline2.yaml new file mode 100755 index 000000000000..4b26163dcb21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline3.yaml new file mode 100755 index 000000000000..7507e1912ea9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted0.yaml new file mode 100755 index 000000000000..baab0335a257 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted1.yaml new file mode 100755 index 000000000000..a48200bd93ed --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted2.yaml new file mode 100755 index 000000000000..994711fd4f6f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted3.yaml new file mode 100755 index 000000000000..0a8bbe29efa6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces0.yaml new file mode 100755 index 000000000000..f729d69cb19b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces1.yaml new file mode 100755 index 000000000000..0c16379de9d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces2.yaml new file mode 100755 index 000000000000..3d272354927a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes0.yaml new file mode 100755 index 000000000000..a294eb9f66e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes1.yaml new file mode 100755 index 000000000000..cea3d964f560 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports0.yaml new file mode 100755 index 000000000000..ff30afbeecfd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports1.yaml new file mode 100755 index 000000000000..98cf6796bd37 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports2.yaml new file mode 100755 index 000000000000..2a4c400dc389 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged0.yaml new file mode 100755 index 000000000000..ee561fdad82d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged1.yaml new file mode 100755 index 000000000000..5f8472299254 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount0.yaml new file mode 100755 index 000000000000..2e34ce628e16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount1.yaml new file mode 100755 index 000000000000..760a7733d29c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/procmount1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes0.yaml new file mode 100755 index 000000000000..9e0ffde39a05 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes1.yaml new file mode 100755 index 000000000000..4a739b03d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes10.yaml new file mode 100755 index 000000000000..6e7014a80fe0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes11.yaml new file mode 100755 index 000000000000..89e44823f450 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes12.yaml new file mode 100755 index 000000000000..7a4b7158629c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes13.yaml new file mode 100755 index 000000000000..f55bd1dbc073 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes14.yaml new file mode 100755 index 000000000000..5200722eabf3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes15.yaml new file mode 100755 index 000000000000..066713d56030 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes16.yaml new file mode 100755 index 000000000000..8c80507044ee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes17.yaml new file mode 100755 index 000000000000..36b4b596770c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes18.yaml new file mode 100755 index 000000000000..1879bc0b3895 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes19.yaml new file mode 100755 index 000000000000..72cc82809ad9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes2.yaml new file mode 100755 index 000000000000..febd366da4b7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes3.yaml new file mode 100755 index 000000000000..8b270b50715d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes4.yaml new file mode 100755 index 000000000000..d9bbcba20838 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes5.yaml new file mode 100755 index 000000000000..381f5b4b2782 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes6.yaml new file mode 100755 index 000000000000..54b75fd52b74 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes7.yaml new file mode 100755 index 000000000000..bec5f894ef8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes8.yaml new file mode 100755 index 000000000000..57e48267d2b9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes9.yaml new file mode 100755 index 000000000000..50f247bf5585 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot0.yaml new file mode 100755 index 000000000000..53cd4daf58da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot1.yaml new file mode 100755 index 000000000000..aa9066839fb0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot2.yaml new file mode 100755 index 000000000000..6a12a28b096d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot3.yaml new file mode 100755 index 000000000000..77f34f5e951e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser0.yaml new file mode 100755 index 000000000000..666d99a7aaf6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser1.yaml new file mode 100755 index 000000000000..7305f82e753e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser2.yaml new file mode 100755 index 000000000000..1c749c6028ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..adf082ec2e12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline1.yaml new file mode 100755 index 000000000000..1076baa142e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline2.yaml new file mode 100755 index 000000000000..7bfe59b2271a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted0.yaml new file mode 100755 index 000000000000..616988938090 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted1.yaml new file mode 100755 index 000000000000..d91bf40f6ecf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted2.yaml new file mode 100755 index 000000000000..70b62895fa99 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted3.yaml new file mode 100755 index 000000000000..fa0982673205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted4.yaml new file mode 100755 index 000000000000..18b9c36403d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions0.yaml new file mode 100755 index 000000000000..ff3c6cf1efe6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions1.yaml new file mode 100755 index 000000000000..a6e3e9f3f48d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions2.yaml new file mode 100755 index 000000000000..737d42ff1a3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions3.yaml new file mode 100755 index 000000000000..e8645f17a030 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions4.yaml new file mode 100755 index 000000000000..04a3d9ed6baf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/sysctls0.yaml new file mode 100755 index 000000000000..ab4994e0e327 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess0.yaml new file mode 100755 index 000000000000..1022b90dba59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess1.yaml new file mode 100755 index 000000000000..4451a2a97d66 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/apparmorprofile0.yaml new file mode 100755 index 000000000000..94be2d8d7cae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/base.yaml new file mode 100755 index 000000000000..c583fa75f6af --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/capabilities_restricted0.yaml new file mode 100755 index 000000000000..46e12f62fc44 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/hostports0.yaml new file mode 100755 index 000000000000..3840bfceba42 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/privileged0.yaml new file mode 100755 index 000000000000..b5bd6ec64f69 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/procmount0.yaml new file mode 100755 index 000000000000..8d30c6651a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/restrictedvolumes0.yaml new file mode 100755 index 000000000000..f4d226cfd554 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot0.yaml new file mode 100755 index 000000000000..cf7cd3eaf089 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot1.yaml new file mode 100755 index 000000000000..d5c048dabfb0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasuser0.yaml new file mode 100755 index 000000000000..23867f0f0beb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted0.yaml new file mode 100755 index 000000000000..f4e6474e815e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted1.yaml new file mode 100755 index 000000000000..11e0be639d39 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted2.yaml new file mode 100755 index 000000000000..22b87aedef28 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions0.yaml new file mode 100755 index 000000000000..cb88d6ea4c58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions1.yaml new file mode 100755 index 000000000000..0a13c932f038 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls0.yaml new file mode 100755 index 000000000000..45c6d67b18b4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls1.yaml new file mode 100755 index 000000000000..962f7d3ab041 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.24/pass/sysctls1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation0.yaml new file mode 100755 index 000000000000..dbc4c4f9fca5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation1.yaml new file mode 100755 index 000000000000..86064ec7e8d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation2.yaml new file mode 100755 index 000000000000..026ad36e1560 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation3.yaml new file mode 100755 index 000000000000..da7f59c24145 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile0.yaml new file mode 100755 index 000000000000..c4625d2f3b9e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile1.yaml new file mode 100755 index 000000000000..9fe2545d387c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline0.yaml new file mode 100755 index 000000000000..e1aeb36d0dd3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline1.yaml new file mode 100755 index 000000000000..f1cbd89432b6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline2.yaml new file mode 100755 index 000000000000..4b26163dcb21 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline3.yaml new file mode 100755 index 000000000000..7507e1912ea9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted0.yaml new file mode 100755 index 000000000000..baab0335a257 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted1.yaml new file mode 100755 index 000000000000..a48200bd93ed --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted2.yaml new file mode 100755 index 000000000000..994711fd4f6f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted3.yaml new file mode 100755 index 000000000000..0a8bbe29efa6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces0.yaml new file mode 100755 index 000000000000..f729d69cb19b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces1.yaml new file mode 100755 index 000000000000..0c16379de9d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces2.yaml new file mode 100755 index 000000000000..3d272354927a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes0.yaml new file mode 100755 index 000000000000..a294eb9f66e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes1.yaml new file mode 100755 index 000000000000..cea3d964f560 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports0.yaml new file mode 100755 index 000000000000..ff30afbeecfd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports1.yaml new file mode 100755 index 000000000000..98cf6796bd37 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports2.yaml new file mode 100755 index 000000000000..2a4c400dc389 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged0.yaml new file mode 100755 index 000000000000..ee561fdad82d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged1.yaml new file mode 100755 index 000000000000..5f8472299254 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount0.yaml new file mode 100755 index 000000000000..2e34ce628e16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount1.yaml new file mode 100755 index 000000000000..760a7733d29c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/procmount1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes0.yaml new file mode 100755 index 000000000000..9e0ffde39a05 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes1.yaml new file mode 100755 index 000000000000..4a739b03d8a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes10.yaml new file mode 100755 index 000000000000..6e7014a80fe0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes11.yaml new file mode 100755 index 000000000000..89e44823f450 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes12.yaml new file mode 100755 index 000000000000..7a4b7158629c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes13.yaml new file mode 100755 index 000000000000..f55bd1dbc073 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes14.yaml new file mode 100755 index 000000000000..5200722eabf3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes15.yaml new file mode 100755 index 000000000000..066713d56030 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes16.yaml new file mode 100755 index 000000000000..8c80507044ee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes17.yaml new file mode 100755 index 000000000000..36b4b596770c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes18.yaml new file mode 100755 index 000000000000..1879bc0b3895 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes19.yaml new file mode 100755 index 000000000000..72cc82809ad9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes2.yaml new file mode 100755 index 000000000000..febd366da4b7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes3.yaml new file mode 100755 index 000000000000..8b270b50715d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes4.yaml new file mode 100755 index 000000000000..d9bbcba20838 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes5.yaml new file mode 100755 index 000000000000..381f5b4b2782 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes6.yaml new file mode 100755 index 000000000000..54b75fd52b74 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes7.yaml new file mode 100755 index 000000000000..bec5f894ef8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes8.yaml new file mode 100755 index 000000000000..57e48267d2b9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes9.yaml new file mode 100755 index 000000000000..50f247bf5585 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot0.yaml new file mode 100755 index 000000000000..53cd4daf58da --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot1.yaml new file mode 100755 index 000000000000..aa9066839fb0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot2.yaml new file mode 100755 index 000000000000..6a12a28b096d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot3.yaml new file mode 100755 index 000000000000..77f34f5e951e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser0.yaml new file mode 100755 index 000000000000..666d99a7aaf6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser1.yaml new file mode 100755 index 000000000000..7305f82e753e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser2.yaml new file mode 100755 index 000000000000..1c749c6028ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline0.yaml new file mode 100755 index 000000000000..adf082ec2e12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline1.yaml new file mode 100755 index 000000000000..1076baa142e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline2.yaml new file mode 100755 index 000000000000..7bfe59b2271a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted0.yaml new file mode 100755 index 000000000000..616988938090 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted1.yaml new file mode 100755 index 000000000000..d91bf40f6ecf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted2.yaml new file mode 100755 index 000000000000..70b62895fa99 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted3.yaml new file mode 100755 index 000000000000..fa0982673205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted4.yaml new file mode 100755 index 000000000000..18b9c36403d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions0.yaml new file mode 100755 index 000000000000..ff3c6cf1efe6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions1.yaml new file mode 100755 index 000000000000..a6e3e9f3f48d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions2.yaml new file mode 100755 index 000000000000..737d42ff1a3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions3.yaml new file mode 100755 index 000000000000..e8645f17a030 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions4.yaml new file mode 100755 index 000000000000..04a3d9ed6baf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/sysctls0.yaml new file mode 100755 index 000000000000..ab4994e0e327 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess0.yaml new file mode 100755 index 000000000000..1022b90dba59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess1.yaml new file mode 100755 index 000000000000..4451a2a97d66 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/apparmorprofile0.yaml new file mode 100755 index 000000000000..94be2d8d7cae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base.yaml new file mode 100755 index 000000000000..c583fa75f6af --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml new file mode 100755 index 000000000000..741719652f81 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_linux.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_linux +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + os: + name: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml new file mode 100755 index 000000000000..685cdcc4b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/base_windows.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_windows +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + os: + name: windows + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/capabilities_restricted0.yaml new file mode 100755 index 000000000000..46e12f62fc44 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/hostports0.yaml new file mode 100755 index 000000000000..3840bfceba42 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/privileged0.yaml new file mode 100755 index 000000000000..b5bd6ec64f69 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/procmount0.yaml new file mode 100755 index 000000000000..8d30c6651a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/restrictedvolumes0.yaml new file mode 100755 index 000000000000..f4d226cfd554 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot0.yaml new file mode 100755 index 000000000000..cf7cd3eaf089 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot1.yaml new file mode 100755 index 000000000000..d5c048dabfb0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasuser0.yaml new file mode 100755 index 000000000000..23867f0f0beb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted0.yaml new file mode 100755 index 000000000000..f4e6474e815e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted1.yaml new file mode 100755 index 000000000000..11e0be639d39 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted2.yaml new file mode 100755 index 000000000000..22b87aedef28 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions0.yaml new file mode 100755 index 000000000000..cb88d6ea4c58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions1.yaml new file mode 100755 index 000000000000..0a13c932f038 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls0.yaml new file mode 100755 index 000000000000..45c6d67b18b4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls1.yaml new file mode 100755 index 000000000000..962f7d3ab041 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.25/pass/sysctls1.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024"