From e8bd3f629d435797c586726d3b76fd90d7b5bf08 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Fri, 6 Jun 2025 15:30:10 -0400 Subject: [PATCH] drop UserNamespacesPodSecurityStandards feature gate this feature gate was meant to be ephemeral, and only was used for guaranteeing a cluster admin didn't accidentally relax PSA policies before the kubelet would deny a pod was created if it didn't support user namespaces. As of kube 1.33, the supported apiserver version skew of n-3 guarantees that all supported kubelets are of 1.30 or later, meaning they do this. Now, we can unconditionally relax PSA policy if a pod is in a user namespace. This PR reserves older policies default behavior by never relaxing Signed-off-by: Peter Hunt --- pkg/features/kube_features.go | 17 ---- .../security/podsecurity/admission.go | 12 --- .../security/podsecurity/admission_test.go | 3 - ...ocMount.go => check_procMount_baseline.go} | 38 ++++---- ...st.go => check_procMount_baseline_test.go} | 36 +++---- .../policy/check_procMount_restricted.go | 56 +++++++++++ .../policy/check_procMount_restricted_test.go | 71 ++++++++++++++ .../policy/check_runAsNonRoot.go | 16 ++- .../policy/check_runAsNonRoot_test.go | 37 ++----- .../policy/check_runAsUser.go | 14 ++- .../policy/check_runAsUser_test.go | 38 ++------ .../pod-security-admission/policy/helpers.go | 15 +-- .../test/fixtures_procMount.go | 92 +++++++++++++++++- .../k8s.io/pod-security-admission/test/run.go | 2 +- .../baseline/v1.35/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.35/fail/apparmorprofile1.yaml | 13 +++ .../v1.35/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.35/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.35/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.35/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.35/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.35/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.35/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.35/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.35/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.35/fail/hostports0.yaml | 14 +++ .../baseline/v1.35/fail/hostports1.yaml | 14 +++ .../baseline/v1.35/fail/hostports2.yaml | 19 ++++ .../fail/hostprobesandhostlifecycle0.yaml | 15 +++ .../fail/hostprobesandhostlifecycle1.yaml | 16 +++ .../fail/hostprobesandhostlifecycle2.yaml | 16 +++ .../fail/hostprobesandhostlifecycle3.yaml | 15 +++ .../fail/hostprobesandhostlifecycle4.yaml | 15 +++ .../baseline/v1.35/fail/privileged0.yaml | 15 +++ .../baseline/v1.35/fail/privileged1.yaml | 15 +++ .../baseline/v1.35/fail/procmount0.yaml | 16 +++ .../baseline/v1.35/fail/procmount1.yaml | 16 +++ .../v1.35/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.35/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.35/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.35/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.35/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.35/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.35/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.35/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.35/fail/sysctls0.yaml | 15 +++ .../v1.35/fail/windowshostprocess0.yaml | 19 ++++ .../v1.35/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.35/pass/apparmorprofile0.yaml | 13 +++ .../testdata/baseline/v1.35/pass/base.yaml | 11 +++ .../v1.35/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.35/pass/hostports0.yaml | 15 +++ .../pass/hostprobesandhostlifecycle0.yaml | 11 +++ .../pass/hostprobesandhostlifecycle1.yaml | 14 +++ .../pass/hostprobesandhostlifecycle2.yaml | 14 +++ .../baseline/v1.35/pass/privileged0.yaml | 16 +++ .../baseline/v1.35/pass/procmount0.yaml | 17 ++++ .../baseline/v1.35/pass/procmount1.yaml | 17 ++++ .../v1.35/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.35/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.35/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.35/pass/sysctls0.yaml | 12 +++ .../baseline/v1.35/pass/sysctls1.yaml | 17 ++++ .../v1.35/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.35/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.35/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.35/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.35/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.35/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.35/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.35/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.35/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.35/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.35/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.35/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.35/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.35/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.35/fail/hostnamespaces0.yaml | 26 +++++ .../v1.35/fail/hostnamespaces1.yaml | 26 +++++ .../v1.35/fail/hostnamespaces2.yaml | 26 +++++ .../v1.35/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.35/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.35/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.35/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.35/fail/hostports2.yaml | 33 +++++++ .../fail/hostprobesandhostlifecycle0.yaml | 29 ++++++ .../fail/hostprobesandhostlifecycle1.yaml | 30 ++++++ .../fail/hostprobesandhostlifecycle2.yaml | 30 ++++++ .../fail/hostprobesandhostlifecycle3.yaml | 29 ++++++ .../fail/hostprobesandhostlifecycle4.yaml | 29 ++++++ .../restricted/v1.35/fail/privileged0.yaml | 25 +++++ .../restricted/v1.35/fail/privileged1.yaml | 25 +++++ .../restricted/v1.35/fail/procmount0.yaml | 27 ++++++ .../restricted/v1.35/fail/procmount1.yaml | 27 ++++++ .../v1.35/fail/procmount_restricted0.yaml | 27 ++++++ .../v1.35/fail/procmount_restricted1.yaml | 27 ++++++ .../v1.35/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.35/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.35/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.35/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.35/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.35/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.35/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.35/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.35/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.35/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.35/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.35/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.35/fail/runasuser2.yaml | 26 +++++ .../v1.35/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.35/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.35/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.35/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.35/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.35/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.35/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.35/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.35/fail/sysctls0.yaml | 28 ++++++ .../v1.35/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.35/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.35/pass/apparmorprofile0.yaml | 27 ++++++ .../testdata/restricted/v1.35/pass/base.yaml | 25 +++++ .../restricted/v1.35/pass/base_linux.yaml | 27 ++++++ .../restricted/v1.35/pass/base_windows.yaml | 15 +++ .../v1.35/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.35/pass/hostports0.yaml | 29 ++++++ .../pass/hostprobesandhostlifecycle0.yaml | 25 +++++ .../pass/hostprobesandhostlifecycle1.yaml | 28 ++++++ .../pass/hostprobesandhostlifecycle2.yaml | 28 ++++++ .../restricted/v1.35/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.35/pass/procmount0.yaml | 28 ++++++ .../restricted/v1.35/pass/procmount1.yaml | 28 ++++++ .../v1.35/pass/procmount_restricted0.yaml | 28 ++++++ .../v1.35/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.35/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.35/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.35/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.35/pass/selinuxoptions0.yaml | 26 +++++ .../v1.35/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.35/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.35/pass/sysctls1.yaml | 30 ++++++ .../reference/versioned_feature_list.yaml | 6 -- test/e2e/common/node/security_context.go | 6 +- test/e2e/feature/feature.go | 6 -- 166 files changed, 3961 insertions(+), 167 deletions(-) rename staging/src/k8s.io/pod-security-admission/policy/{check_procMount.go => check_procMount_baseline.go} (74%) rename staging/src/k8s.io/pod-security-admission/policy/{check_procMount_test.go => check_procMount_baseline_test.go} (80%) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 3b7f7ab9456..61f066fc4e4 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -984,17 +984,6 @@ const ( // Proxies client to an apiserver capable of serving the request in the event of version skew. UnknownVersionInteroperabilityProxy featuregate.Feature = "UnknownVersionInteroperabilityProxy" - // owner: @saschagrunert - // - // Enables user namespace support for Pod Security Standards. Enabling this - // feature will modify all Pod Security Standard rules to allow setting: - // spec[.*].securityContext.[runAsNonRoot,runAsUser] - // This feature gate should only be enabled if all nodes in the cluster - // support the user namespace feature and have it enabled. The feature gate - // will not graduate or be enabled by default in future Kubernetes - // releases. - UserNamespacesPodSecurityStandards featuregate.Feature = "UserNamespacesPodSecurityStandards" - // owner: @rata, @giuseppe // kep: https://kep.k8s.io/127 // @@ -1751,10 +1740,6 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.28"), Default: false, PreRelease: featuregate.Alpha}, }, - UserNamespacesPodSecurityStandards: { - {Version: version.MustParse("1.29"), Default: false, PreRelease: featuregate.Alpha}, - }, - UserNamespacesSupport: { {Version: version.MustParse("1.25"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta}, @@ -2295,8 +2280,6 @@ var defaultKubernetesFeatureGateDependencies = map[featuregate.Feature][]feature UnknownVersionInteroperabilityProxy: {}, - UserNamespacesPodSecurityStandards: {}, - UserNamespacesSupport: {}, VolumeAttributesClass: {}, diff --git a/plugin/pkg/admission/security/podsecurity/admission.go b/plugin/pkg/admission/security/podsecurity/admission.go index 879c1a6f7e7..74299eaaf55 100644 --- a/plugin/pkg/admission/security/podsecurity/admission.go +++ b/plugin/pkg/admission/security/podsecurity/admission.go @@ -27,7 +27,6 @@ import ( _ "k8s.io/kubernetes/pkg/apis/apps/install" _ "k8s.io/kubernetes/pkg/apis/batch/install" _ "k8s.io/kubernetes/pkg/apis/core/install" - "k8s.io/kubernetes/pkg/features" admissionv1 "k8s.io/api/admission/v1" appsv1 "k8s.io/api/apps/v1" @@ -44,7 +43,6 @@ import ( "k8s.io/client-go/kubernetes" corev1listers "k8s.io/client-go/listers/core/v1" "k8s.io/component-base/compatibility" - "k8s.io/component-base/featuregate" "k8s.io/component-base/metrics/legacyregistry" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/apps" @@ -71,8 +69,6 @@ func Register(plugins *admission.Plugins) { type Plugin struct { *admission.Handler - inspectedFeatureGates bool - inspectedEffectiveVersion bool emulationVersion *podsecurityadmissionapi.Version @@ -173,16 +169,8 @@ func (p *Plugin) InspectEffectiveVersion(version compatibility.EffectiveVersion) } } -func (p *Plugin) InspectFeatureGates(featureGates featuregate.FeatureGate) { - p.inspectedFeatureGates = true - policy.RelaxPolicyForUserNamespacePods(featureGates.Enabled(features.UserNamespacesPodSecurityStandards)) -} - // ValidateInitialization ensures all required options are set func (p *Plugin) ValidateInitialization() error { - if !p.inspectedFeatureGates { - return fmt.Errorf("%s did not see feature gates", PluginName) - } if !p.inspectedEffectiveVersion { return fmt.Errorf("%s did not see effective version", PluginName) } diff --git a/plugin/pkg/admission/security/podsecurity/admission_test.go b/plugin/pkg/admission/security/podsecurity/admission_test.go index e4a6c253cf0..4f3873a1d4f 100644 --- a/plugin/pkg/admission/security/podsecurity/admission_test.go +++ b/plugin/pkg/admission/security/podsecurity/admission_test.go @@ -33,7 +33,6 @@ import ( "k8s.io/apiserver/pkg/admission" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/util/compatibility" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/apiserver/pkg/warning" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes/fake" @@ -84,7 +83,6 @@ func BenchmarkVerifyPod(b *testing.B) { } p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion()) - p.InspectFeatureGates(utilfeature.DefaultFeatureGate) enforceImplicitPrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-implicit", Labels: map[string]string{}}} enforcePrivilegedNamespace := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: "enforce-privileged", Labels: map[string]string{"pod-security.kubernetes.io/enforce": "privileged"}}} @@ -193,7 +191,6 @@ func BenchmarkVerifyNamespace(b *testing.B) { } p.InspectEffectiveVersion(compatibility.DefaultBuildEffectiveVersion()) - p.InspectFeatureGates(utilfeature.DefaultFeatureGate) namespace := "enforce" enforceNamespaceBaselineV1 := &corev1.Namespace{ObjectMeta: metav1.ObjectMeta{Name: namespace, Labels: map[string]string{"pod-security.kubernetes.io/enforce": "baseline"}}} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go similarity index 74% rename from staging/src/k8s.io/pod-security-admission/policy/check_procMount.go rename to staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go index 8ec585b9c98..bd19b4c656e 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_procMount.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline.go @@ -27,27 +27,25 @@ import ( /* -The default /proc masks are set up to reduce attack surface, and should be required. +The default /proc masks are set up to reduce attack surface, and should be required +by the baseline policy unless the pod is in a user namespace ("hostUsers: false"). **Restricted Fields:** spec.containers[*].securityContext.procMount spec.initContainers[*].securityContext.procMount -**Allowed Values:** undefined/null, "Default" - -However, if the pod is in a user namespace (`hostUsers: false`), and the -UserNamespacesPodSecurityStandards feature is enabled, all values are allowed. - +**Allowed Values:** undefined/null, "Default" (or any value if "hostUsers" is false) */ func init() { - addCheck(CheckProcMount) + addCheck(CheckProcMountBaseline) } // CheckProcMount returns a baseline level check that restricts // setting the value of securityContext.procMount to DefaultProcMount -// in 1.0+ -func CheckProcMount() Check { +// in 1.0+. +// Starting in 1.35+, any value is allowed if the pod is in a user namespace ("hostUsers: false"). +func CheckProcMountBaseline() Check { return Check{ ID: "procMount", Level: api.LevelBaseline, @@ -56,19 +54,16 @@ func CheckProcMount() Check { MinimumVersion: api.MajorMinorVersion(1, 0), CheckPod: procMount_1_0, }, + { + MinimumVersion: api.MajorMinorVersion(1, 35), + CheckPod: procMount1_35baseline, + }, }, } } +// procMount_1_0 blocks unmasked procMount unconditionally func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { - // TODO: When we remove the UserNamespacesPodSecurityStandards feature gate (and GA this relaxation), - // create a new policy version. - // Note: pod validation will check for well formed procMount type, so avoid double validation and allow everything - // here. - if relaxPolicyForUserNamespacePod(podSpec) { - return CheckResult{Allowed: true} - } - var badContainers []string forbiddenProcMountTypes := sets.NewString() visitContainers(podSpec, func(container *corev1.Container) { @@ -100,3 +95,12 @@ func procMount_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) Chec } return CheckResult{Allowed: true} } + +// procMount1_35baseline blocks unmasked procMount for pods that are not in a user namespace +func procMount1_35baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + if relaxPolicyForUserNamespacePod(podSpec) { + return CheckResult{Allowed: true} + } + // If the pod is not in a user namespace, treat it as restricted. + return procMount_1_0(podMetadata, podSpec) +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go similarity index 80% rename from staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go rename to staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go index 576be1e743d..64689952ab1 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_baseline_test.go @@ -20,21 +20,20 @@ import ( "testing" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/ptr" ) -func TestProcMount(t *testing.T) { +func TestProcMountBaseline(t *testing.T) { defaultValue := corev1.DefaultProcMount unmaskedValue := corev1.UnmaskedProcMount otherValue := corev1.ProcMountType("other") - hostUsers := false tests := []struct { - name string - pod *corev1.Pod - expectReason string - expectDetail string - expectAllowed bool - relaxForUserNS bool + name string + pod *corev1.Pod + expectReason string + expectDetail string + expectAllowed bool }{ { name: "procMount", @@ -46,14 +45,14 @@ func TestProcMount(t *testing.T) { {Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}}, {Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}}, }, - HostUsers: &hostUsers, + HostUsers: ptr.To(true), }}, expectReason: `procMount`, expectAllowed: false, expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`, }, { - name: "procMount", + name: "procMount with userns", pod: &corev1.Pod{Spec: corev1.PodSpec{ Containers: []corev1.Container{ {Name: "a", SecurityContext: nil}, @@ -62,24 +61,17 @@ func TestProcMount(t *testing.T) { {Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}}, {Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}}, }, - HostUsers: &hostUsers, + HostUsers: ptr.To(false), }}, - expectReason: "", - expectDetail: "", - expectAllowed: true, - relaxForUserNS: true, + expectReason: "", + expectDetail: "", + expectAllowed: true, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - if tc.relaxForUserNS { - RelaxPolicyForUserNamespacePods(true) - t.Cleanup(func() { - RelaxPolicyForUserNamespacePods(false) - }) - } - result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) + result := procMount1_35baseline(&tc.pod.ObjectMeta, &tc.pod.Spec) if result.Allowed != tc.expectAllowed { t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go new file mode 100644 index 00000000000..5d6559ad4f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted.go @@ -0,0 +1,56 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "k8s.io/pod-security-admission/api" +) + +/* + +The default /proc masks are set up to reduce attack surface, and should be required by the restricted profile. + +**Restricted Fields:** +spec.containers[*].securityContext.procMount +spec.initContainers[*].securityContext.procMount + +**Allowed Values:** undefined/null, "Default" + +*/ + +func init() { + addCheck(CheckProcMountRestricted) +} + +// CheckProcMountRestricted returns a restricted level check that forbids unmasked procmount. +func CheckProcMountRestricted() Check { + return Check{ + ID: "procMount_restricted", + Level: api.LevelRestricted, + Versions: []VersionedCheck{ + { + // Prior to 1.35, the baseline "procMount" check ran procMount_1_0 to unconditionally block unmasked procMount. + // In 1.35+, baseline conditionally relaxes for user namespace pods. + // Starting at that version, keep running the unconditional block in the restricted profile, + // and override the slightly weaker version of the same check from the baseline profile. + MinimumVersion: api.MajorMinorVersion(1, 35), + CheckPod: procMount_1_0, + OverrideCheckIDs: []CheckID{"procMount"}, + }, + }, + } +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go new file mode 100644 index 00000000000..d791027d06d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_procMount_restricted_test.go @@ -0,0 +1,71 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "testing" + + corev1 "k8s.io/api/core/v1" +) + +func TestProcMountRestricted(t *testing.T) { + defaultValue := corev1.DefaultProcMount + unmaskedValue := corev1.UnmaskedProcMount + otherValue := corev1.ProcMountType("other") + + tests := []struct { + name string + pod *corev1.Pod + expectReason string + expectDetail string + expectAllowed bool + }{ + { + name: "procMount", + pod: &corev1.Pod{Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + {Name: "a", SecurityContext: nil}, + {Name: "b", SecurityContext: &corev1.SecurityContext{}}, + {Name: "c", SecurityContext: &corev1.SecurityContext{ProcMount: &defaultValue}}, + {Name: "d", SecurityContext: &corev1.SecurityContext{ProcMount: &unmaskedValue}}, + {Name: "e", SecurityContext: &corev1.SecurityContext{ProcMount: &otherValue}}, + }, + }}, + expectReason: `procMount`, + expectAllowed: false, + expectDetail: `containers "d", "e" must not set securityContext.procMount to "Unmasked", "other"`, + }, + } + + for _, tc := range tests { + for _, userns := range []bool{true, false} { + t.Run(tc.name, func(t *testing.T) { + tc.pod.Spec.HostUsers = &userns + result := procMount_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) + if result.Allowed != tc.expectAllowed { + t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) + } + if e, a := tc.expectReason, result.ForbiddenReason; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + if e, a := tc.expectDetail, result.ForbiddenDetail; e != a { + t.Errorf("expected\n%s\ngot\n%s", e, a) + } + }) + } + } +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go index 87b83727b26..0800ddab70c 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot.go @@ -26,7 +26,8 @@ import ( ) /* -Containers must be required to run as non-root users. +Containers must be required to run as non-root users, +unless the pod is in a user namespace ("hostUsers: false"). **Restricted Fields:** @@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsNonRoot **Allowed Values:** true undefined/null at container-level if pod-level is set to true +any value if "hostUsers" is false */ func init() { @@ -54,16 +56,26 @@ func CheckRunAsNonRoot() Check { MinimumVersion: api.MajorMinorVersion(1, 0), CheckPod: runAsNonRoot_1_0, }, + { + MinimumVersion: api.MajorMinorVersion(1, 35), + CheckPod: runAsNonRoot1_35, + }, }, } } -func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { +func runAsNonRoot1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { // See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447 + // In the 1.0 policy, this relaxation was gated on a perma-alpha feature gate. + // Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here. if relaxPolicyForUserNamespacePod(podSpec) { return CheckResult{Allowed: true} } + return runAsNonRoot_1_0(podMetadata, podSpec) +} + +func runAsNonRoot_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { // things that explicitly set runAsNonRoot=false var badSetters []string diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go index 3daedad4d7a..356790cbddd 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsNonRoot_test.go @@ -25,12 +25,11 @@ import ( func TestRunAsNonRoot(t *testing.T) { tests := []struct { - name string - pod *corev1.Pod - expectReason string - expectDetail string - expectAllowed bool - relaxForUserNS bool + name string + pod *corev1.Pod + expectReason string + expectDetail string + expectAllowed bool }{ { name: "no explicit runAsNonRoot", @@ -83,37 +82,17 @@ func TestRunAsNonRoot(t *testing.T) { expectDetail: `pod or containers "a", "b" must set securityContext.runAsNonRoot=true`, }, { - name: "UserNamespacesPodSecurityStandards enabled without HostUsers", + name: "host users false allowed", pod: &corev1.Pod{Spec: corev1.PodSpec{ HostUsers: ptr.To(false), }}, - expectAllowed: true, - relaxForUserNS: true, - }, - { - name: "UserNamespacesPodSecurityStandards enabled with HostUsers", - pod: &corev1.Pod{Spec: corev1.PodSpec{ - Containers: []corev1.Container{ - {Name: "a"}, - }, - HostUsers: ptr.To(true), - }}, - expectReason: `runAsNonRoot != true`, - expectDetail: `pod or container "a" must set securityContext.runAsNonRoot=true`, - expectAllowed: false, - relaxForUserNS: true, + expectAllowed: true, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - if tc.relaxForUserNS { - RelaxPolicyForUserNamespacePods(true) - t.Cleanup(func() { - RelaxPolicyForUserNamespacePods(false) - }) - } - result := runAsNonRoot_1_0(&tc.pod.ObjectMeta, &tc.pod.Spec) + result := runAsNonRoot1_35(&tc.pod.ObjectMeta, &tc.pod.Spec) if result.Allowed != tc.expectAllowed { t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) } diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go index eb9553ee04d..528eb482176 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser.go @@ -27,6 +27,7 @@ import ( /* Containers must not set runAsUser: 0 +unless the pod is in a user namespace ("hostUsers: false"). **Restricted Fields:** @@ -37,6 +38,7 @@ spec.initContainers[*].securityContext.runAsUser **Allowed Values:** non-zero values undefined/null +any value if "hostUsers" is false */ @@ -55,16 +57,26 @@ func CheckRunAsUser() Check { MinimumVersion: api.MajorMinorVersion(1, 23), CheckPod: runAsUser_1_23, }, + { + MinimumVersion: api.MajorMinorVersion(1, 35), + CheckPod: runAsUser1_35, + }, }, } } -func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { +func runAsUser1_35(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { // See KEP-127: https://github.com/kubernetes/enhancements/blob/308ba8d/keps/sig-node/127-user-namespaces/README.md?plain=1#L411-L447 + // In the 1.23 policy, this relaxation was gated on a perma-alpha feature gate. + // Instead of relaxing 1.0 policy, drop the relaxation there, and add it unconditionally here. if relaxPolicyForUserNamespacePod(podSpec) { return CheckResult{Allowed: true} } + return runAsUser_1_23(podMetadata, podSpec) +} + +func runAsUser_1_23(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { // things that explicitly set runAsUser=0 var badSetters []string diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go index df54e21f943..9f3bee9ed4c 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go +++ b/staging/src/k8s.io/pod-security-admission/policy/check_runAsUser_test.go @@ -25,12 +25,11 @@ import ( func TestRunAsUser(t *testing.T) { tests := []struct { - name string - pod *corev1.Pod - expectAllowed bool - expectReason string - expectDetail string - relaxForUserNS bool + name string + pod *corev1.Pod + expectAllowed bool + expectReason string + expectDetail string }{ { name: "pod runAsUser=0", @@ -92,38 +91,17 @@ func TestRunAsUser(t *testing.T) { expectAllowed: true, }, { - name: "UserNamespacesPodSecurityStandards enabled without HostUsers", + name: "host users false allowed", pod: &corev1.Pod{Spec: corev1.PodSpec{ HostUsers: ptr.To(false), }}, - expectAllowed: true, - relaxForUserNS: true, - }, - { - name: "UserNamespacesPodSecurityStandards enabled with HostUsers", - pod: &corev1.Pod{Spec: corev1.PodSpec{ - SecurityContext: &corev1.PodSecurityContext{RunAsUser: ptr.To[int64](0)}, - Containers: []corev1.Container{ - {Name: "a", SecurityContext: nil}, - }, - HostUsers: ptr.To(true), - }}, - expectAllowed: false, - expectReason: `runAsUser=0`, - expectDetail: `pod must not set runAsUser=0`, - relaxForUserNS: true, + expectAllowed: true, }, } for _, tc := range tests { t.Run(tc.name, func(t *testing.T) { - if tc.relaxForUserNS { - RelaxPolicyForUserNamespacePods(true) - t.Cleanup(func() { - RelaxPolicyForUserNamespacePods(false) - }) - } - result := runAsUser_1_23(&tc.pod.ObjectMeta, &tc.pod.Spec) + result := runAsUser1_35(&tc.pod.ObjectMeta, &tc.pod.Spec) if result.Allowed != tc.expectAllowed { t.Fatalf("expected Allowed to be %v was %v", tc.expectAllowed, result.Allowed) } diff --git a/staging/src/k8s.io/pod-security-admission/policy/helpers.go b/staging/src/k8s.io/pod-security-admission/policy/helpers.go index e35348929cf..2f7525eb1bf 100644 --- a/staging/src/k8s.io/pod-security-admission/policy/helpers.go +++ b/staging/src/k8s.io/pod-security-admission/policy/helpers.go @@ -18,7 +18,6 @@ package policy import ( "strings" - "sync/atomic" corev1 "k8s.io/api/core/v1" ) @@ -37,20 +36,8 @@ func pluralize(singular, plural string, count int) string { return plural } -var relaxPolicyForUserNamespacePods = &atomic.Bool{} - -// RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser / -// runAsNonRoot restricted policies for user namespace pods, before the -// usernamespace feature has reached GA and propagated to the oldest supported -// nodes. -// This should only be opted into in clusters where the administrator ensures -// all nodes in the cluster enable the user namespace feature. -func RelaxPolicyForUserNamespacePods(relax bool) { - relaxPolicyForUserNamespacePods.Store(relax) -} - // relaxPolicyForUserNamespacePod returns true if a policy should be relaxed // because of enabled user namespaces in the provided pod spec. func relaxPolicyForUserNamespacePod(podSpec *corev1.PodSpec) bool { - return relaxPolicyForUserNamespacePods.Load() && podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers + return podSpec != nil && podSpec.HostUsers != nil && !*podSpec.HostUsers } diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go index 98d33f17404..e7a00b79e17 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_procMount.go @@ -20,10 +20,10 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/component-base/featuregate" "k8s.io/pod-security-admission/api" + "k8s.io/utils/ptr" ) func init() { - hostUsers := false fixtureData_1_0 := fixtureGenerator{ expectErrorSubstring: "procMount", generatePass: func(p *corev1.Pod) []*corev1.Pod { @@ -34,7 +34,7 @@ func init() { validProcMountType := corev1.DefaultProcMount copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType - copy.Spec.HostUsers = &hostUsers + copy.Spec.HostUsers = ptr.To(false) }), } }, @@ -46,13 +46,13 @@ func init() { tweak(p, func(copy *corev1.Pod) { unmaskedProcMountType := corev1.UnmaskedProcMount copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType - copy.Spec.HostUsers = &hostUsers + copy.Spec.HostUsers = ptr.To(false) }), // set proc mount of init container to a forbidden value tweak(p, func(copy *corev1.Pod) { unmaskedProcMountType := corev1.UnmaskedProcMount copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType - copy.Spec.HostUsers = &hostUsers + copy.Spec.HostUsers = ptr.To(false) }), } }, @@ -62,4 +62,88 @@ func init() { fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "procMount"}, fixtureData_1_0, ) + + fixtureData1_35baseline := fixtureGenerator{ + expectErrorSubstring: "procMount", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container and init container to a valid value + tweak(p, func(copy *corev1.Pod) { + validProcMountType := corev1.DefaultProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType + copy.Spec.HostUsers = ptr.To(false) + }), + tweak(p, func(copy *corev1.Pod) { + unmaskedProcMountType := corev1.UnmaskedProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.HostUsers = ptr.To(false) + }), + } + }, + failRequiresFeatures: []featuregate.Feature{"ProcMountType"}, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container to a forbidden value + tweak(p, func(copy *corev1.Pod) { + unmaskedProcMountType := corev1.UnmaskedProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.HostUsers = ptr.To(true) + }), + // set proc mount of init container to a forbidden value + tweak(p, func(copy *corev1.Pod) { + unmaskedProcMountType := corev1.UnmaskedProcMount + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.HostUsers = ptr.To(true) + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 35), check: "procMount"}, + fixtureData1_35baseline, + ) + + fixtureData1_35restricted := fixtureGenerator{ + expectErrorSubstring: "procMount", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container and init container to a valid value + tweak(p, func(copy *corev1.Pod) { + validProcMountType := corev1.DefaultProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &validProcMountType + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &validProcMountType + copy.Spec.HostUsers = ptr.To(false) + }), + } + }, + failRequiresFeatures: []featuregate.Feature{"ProcMountType"}, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + // set proc mount of container to a forbidden value + tweak(p, func(copy *corev1.Pod) { + unmaskedProcMountType := corev1.UnmaskedProcMount + copy.Spec.Containers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.HostUsers = ptr.To(false) + }), + // set proc mount of init container to a forbidden value + tweak(p, func(copy *corev1.Pod) { + unmaskedProcMountType := corev1.UnmaskedProcMount + copy.Spec.InitContainers[0].SecurityContext.ProcMount = &unmaskedProcMountType + copy.Spec.HostUsers = ptr.To(false) + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 35), check: "procMount_restricted"}, + fixtureData1_35restricted, + ) } diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go index c6eb117afcb..e9d79a74b87 100644 --- a/staging/src/k8s.io/pod-security-admission/test/run.go +++ b/staging/src/k8s.io/pod-security-admission/test/run.go @@ -37,7 +37,7 @@ import ( ) const ( - newestMinorVersionToTest = 34 + newestMinorVersionToTest = 35 podOSBasedRestrictionEnabledVersion = 29 ) diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..87475d347dd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..5940a639ec4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..e01a9dece8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..92239d17896 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..089d8c184c2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..4befa1edbea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..1c4ca9a560a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..7967a6d50a9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..00039668cd2 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..7f026136fae --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..382d27f4f49 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml new file mode 100755 index 00000000000..ebfdcd48d0d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml new file mode 100755 index 00000000000..d9a2b97af3a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml new file mode 100755 index 00000000000..61b3388f0a7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml new file mode 100755 index 00000000000..0fdf5a472ce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle0 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + host: bad.host + port: 8080 + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml new file mode 100755 index 00000000000..194b86fbeba --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + readinessProbe: + tcpSocket: + host: 8.8.8.8 + port: 8080 + restartPolicy: Always diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml new file mode 100755 index 00000000000..d3566005d27 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle2 +spec: + containers: + - image: registry.k8s.io/pause + lifecycle: + postStart: + httpGet: + host: bad.host + port: 8080 + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml new file mode 100755 index 00000000000..ecbb7a991f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle3.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle3 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + host: 127.0.0.1 + port: 8080 + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml new file mode 100755 index 00000000000..e54314b7b8e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/hostprobesandhostlifecycle4.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + readinessProbe: + tcpSocket: + host: ::1 + port: 8080 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml new file mode 100755 index 00000000000..e5cc7b94fdd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml new file mode 100755 index 00000000000..31935b9955c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml new file mode 100755 index 00000000000..761b9a7126f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + hostUsers: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml new file mode 100755 index 00000000000..887518ed9ec --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + hostUsers: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..f455958da82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..8a86112acd1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..21822558178 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..f3307078cd7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..6629d05efc4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..65876a92b61 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..71d89fbe572 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..74e05cbb709 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml new file mode 100755 index 00000000000..81508d69e60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..1e506b1f803 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..1a9d3e94a0e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..213a6a6c411 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml new file mode 100755 index 00000000000..387a4be3170 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml new file mode 100755 index 00000000000..df93c1cd652 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml new file mode 100755 index 00000000000..61fddccdbbe --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml new file mode 100755 index 00000000000..356dbdaa811 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml new file mode 100755 index 00000000000..f11c12a32ab --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle1 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + port: 8080 + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml new file mode 100755 index 00000000000..a9b0b6e358b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/hostprobesandhostlifecycle2.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + readinessProbe: + tcpSocket: + port: 8080 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml new file mode 100755 index 00000000000..0b64b687c7a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml new file mode 100755 index 00000000000..53468519b32 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml new file mode 100755 index 00000000000..793e56e9f20 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/procmount1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..2e05d163254 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..dafa4dbc3de --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..a2688f5c23e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml new file mode 100755 index 00000000000..2148dc0867e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml new file mode 100755 index 00000000000..96eb7173489 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.35/pass/sysctls1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: net.ipv4.tcp_rmem + value: 4096 87380 16777216 + - name: net.ipv4.tcp_wmem + value: 4096 65536 16777216 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml new file mode 100755 index 00000000000..837b55acc95 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml new file mode 100755 index 00000000000..61894665579 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml new file mode 100755 index 00000000000..9302cc63494 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml new file mode 100755 index 00000000000..083ce350f4e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml new file mode 100755 index 00000000000..14de67ea27c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml new file mode 100755 index 00000000000..0e4313b5421 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml new file mode 100755 index 00000000000..2be0164f3e1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml new file mode 100755 index 00000000000..f68d6b38830 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml new file mode 100755 index 00000000000..702bd87de6e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml new file mode 100755 index 00000000000..3e6aa463175 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml new file mode 100755 index 00000000000..857c11b86bb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml new file mode 100755 index 00000000000..9c987673a0a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml new file mode 100755 index 00000000000..be25f6aeac1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml new file mode 100755 index 00000000000..517cc3cbc20 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml new file mode 100755 index 00000000000..c1a7b7a4ba9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml new file mode 100755 index 00000000000..caa294e373c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml new file mode 100755 index 00000000000..32350899785 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml new file mode 100755 index 00000000000..86745e64a08 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml new file mode 100755 index 00000000000..bc7759c2036 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml new file mode 100755 index 00000000000..9bf9055d9ee --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml new file mode 100755 index 00000000000..ddecbf4925d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml new file mode 100755 index 00000000000..ed9f6920981 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml new file mode 100755 index 00000000000..cb32df69fdf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle0 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + host: bad.host + port: 8080 + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml new file mode 100755 index 00000000000..8b55e0dd8a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + readinessProbe: + tcpSocket: + host: 8.8.8.8 + port: 8080 + restartPolicy: Always + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml new file mode 100755 index 00000000000..86a179b7246 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle2.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle2 +spec: + containers: + - image: registry.k8s.io/pause + lifecycle: + postStart: + httpGet: + host: bad.host + port: 8080 + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml new file mode 100755 index 00000000000..281b6d74a89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle3 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + host: 127.0.0.1 + port: 8080 + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml new file mode 100755 index 00000000000..d76b87f28fd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/hostprobesandhostlifecycle4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + readinessProbe: + tcpSocket: + host: ::1 + port: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml new file mode 100755 index 00000000000..7ad39f5c045 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml new file mode 100755 index 00000000000..cb41dcb3aa4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml new file mode 100755 index 00000000000..31abae958b7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml new file mode 100755 index 00000000000..20fc044f33a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostUsers: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml new file mode 100755 index 00000000000..a33c140b758 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml new file mode 100755 index 00000000000..3aa92050893 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/procmount_restricted1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..5a95336d269 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..153326fea89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..f34afe69ca8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..384e06f6b23 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..8757fbf7fb4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..9e2086df359 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..d8b9605e4d1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..f3462ab7f43 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..d83daa6fcb1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..23f6b770e46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..ca5d93f57fd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..4ca4381bec9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..9154458079c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..f1060bc3551 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..3a1447417e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..e64cbe9ab50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..4d596c9e415 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..c3887a35c12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..e11afbbe8ec --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..8159a4858b9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml new file mode 100755 index 00000000000..f460f659d94 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml new file mode 100755 index 00000000000..285409793ea --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml new file mode 100755 index 00000000000..067c7970fa7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml new file mode 100755 index 00000000000..5459f294e0b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml new file mode 100755 index 00000000000..5f7c9e0f005 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml new file mode 100755 index 00000000000..ff62334ead6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml new file mode 100755 index 00000000000..26c713497d0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml new file mode 100755 index 00000000000..0b875ce5f01 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml new file mode 100755 index 00000000000..3e63c31668c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml new file mode 100755 index 00000000000..4cd99407164 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..64b5604b5a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..2ec3d48dfb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..c63c622a6ad --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml new file mode 100755 index 00000000000..69c969f8a68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml new file mode 100755 index 00000000000..b17bf7648e4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml new file mode 100755 index 00000000000..7135bb20b8e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml new file mode 100755 index 00000000000..c99b8a5ed4f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml new file mode 100755 index 00000000000..f2eafc2512b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml new file mode 100755 index 00000000000..1da063ebd1f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml new file mode 100755 index 00000000000..a4a38fb6034 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml new file mode 100755 index 00000000000..841f73d238f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml new file mode 100755 index 00000000000..4262e6a5b82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml new file mode 100755 index 00000000000..ba1ce4a472f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml new file mode 100755 index 00000000000..53ebdaa0139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml new file mode 100755 index 00000000000..3b4f3077dcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml new file mode 100755 index 00000000000..67563df7022 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_linux.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_linux +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + os: + name: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml new file mode 100755 index 00000000000..2bc48b4f6b7 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/base_windows.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_windows +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + os: + name: windows + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml new file mode 100755 index 00000000000..8a70cb3efdb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml new file mode 100755 index 00000000000..e7f11535894 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml new file mode 100755 index 00000000000..e32b2ec9892 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml new file mode 100755 index 00000000000..c34edd0970f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle1 +spec: + containers: + - image: registry.k8s.io/pause + livenessProbe: + httpGet: + port: 8080 + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml new file mode 100755 index 00000000000..09919047d85 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/hostprobesandhostlifecycle2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostprobesandhostlifecycle2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + readinessProbe: + tcpSocket: + port: 8080 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml new file mode 100755 index 00000000000..8e3aafdd8f1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml new file mode 100755 index 00000000000..5db5a5c947a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount1.yaml new file mode 100755 index 00000000000..77e2c1582e1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml new file mode 100755 index 00000000000..3906b80f17c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/procmount_restricted0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..a11722485c5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml new file mode 100755 index 00000000000..414ac79b469 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml new file mode 100755 index 00000000000..549b013e53f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml new file mode 100755 index 00000000000..ed7aff0fa12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml new file mode 100755 index 00000000000..f904065ce46 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml new file mode 100755 index 00000000000..5a60fd7c59b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml new file mode 100755 index 00000000000..39d68e386b6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml new file mode 100755 index 00000000000..a45080b7425 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml new file mode 100755 index 00000000000..0a8365605e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml new file mode 100755 index 00000000000..84224ffa94d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml new file mode 100755 index 00000000000..a066dc42769 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.35/pass/sysctls1.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: net.ipv4.tcp_rmem + value: 4096 87380 16777216 + - name: net.ipv4.tcp_wmem + value: 4096 65536 16777216 diff --git a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml index 794d1ce21ac..5b397a0ddbf 100644 --- a/test/compatibility_lifecycle/reference/versioned_feature_list.yaml +++ b/test/compatibility_lifecycle/reference/versioned_feature_list.yaml @@ -1823,12 +1823,6 @@ lockToDefault: false preRelease: Alpha version: "1.28" -- name: UserNamespacesPodSecurityStandards - versionedSpecs: - - default: false - lockToDefault: false - preRelease: Alpha - version: "1.29" - name: UserNamespacesSupport versionedSpecs: - default: false diff --git a/test/e2e/common/node/security_context.go b/test/e2e/common/node/security_context.go index 43be7c531a5..6d5ac9e6159 100644 --- a/test/e2e/common/node/security_context.go +++ b/test/e2e/common/node/security_context.go @@ -993,7 +993,7 @@ var _ = SIGDescribe("Security Context", func() { }) }) -var _ = SIGDescribe("User Namespaces for Pod Security Standards [LinuxOnly]", func() { +var _ = SIGDescribe("User Namespaces for Restricted Pod Security Standards [LinuxOnly]", func() { ginkgo.BeforeEach(func() { e2eskipper.SkipIfNodeOSDistroIs("windows") }) @@ -1001,8 +1001,8 @@ var _ = SIGDescribe("User Namespaces for Pod Security Standards [LinuxOnly]", fu f := framework.NewDefaultFramework("user-namespaces-pss-test") f.NamespacePodSecurityLevel = admissionapi.LevelRestricted - ginkgo.Context("with UserNamespacesSupport and UserNamespacesPodSecurityStandards enabled", func() { - f.It("should allow pod", feature.UserNamespacesPodSecurityStandards, framework.WithFeatureGate(features.UserNamespacesSupport), framework.WithFeatureGate(features.UserNamespacesPodSecurityStandards), func(ctx context.Context) { + ginkgo.Context("with UserNamespacesSupport enabled", func() { + f.It("should allow pod", feature.UserNamespacesSupport, framework.WithFeatureGate(features.UserNamespacesSupport), func(ctx context.Context) { name := "pod-user-namespaces-pss-" + string(uuid.NewUUID()) pod := &v1.Pod{ ObjectMeta: metav1.ObjectMeta{Name: name}, diff --git a/test/e2e/feature/feature.go b/test/e2e/feature/feature.go index 5a8c56e07f8..1a69fcb3a34 100644 --- a/test/e2e/feature/feature.go +++ b/test/e2e/feature/feature.go @@ -455,12 +455,6 @@ var ( // TODO: document the feature (owning SIG, when to use this feature for a test) Upgrade = framework.WithFeature(framework.ValidFeatures.Add("Upgrade")) - // Owned by SIG Node - // Can be used when the UserNamespacesPodSecurityStandards kubelet feature - // gate is enabled to relax the application of Pod Security Standards in a - // controlled way. - UserNamespacesPodSecurityStandards = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesPodSecurityStandards")) - // TODO: document the feature (owning SIG, when to use this feature for a test) UserNamespacesSupport = framework.WithFeature(framework.ValidFeatures.Add("UserNamespacesSupport"))