From 6b003730a88ebd5bbb44022217647117ba1f0707 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Wed, 17 Jul 2024 12:28:59 -0400 Subject: [PATCH] PSA: update test fixtures Signed-off-by: Peter Hunt Kubernetes-commit: f53069eac65fa011262f440803efcfedd0a59e6a --- test/run.go | 2 +- .../baseline/v1.30/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.30/fail/apparmorprofile1.yaml | 13 +++ .../v1.30/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.30/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.30/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.30/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.30/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.30/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.30/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.30/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.30/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.30/fail/hostports0.yaml | 14 +++ .../baseline/v1.30/fail/hostports1.yaml | 14 +++ .../baseline/v1.30/fail/hostports2.yaml | 19 ++++ .../baseline/v1.30/fail/privileged0.yaml | 15 +++ .../baseline/v1.30/fail/privileged1.yaml | 15 +++ .../baseline/v1.30/fail/procmount0.yaml | 16 +++ .../baseline/v1.30/fail/procmount1.yaml | 16 +++ .../v1.30/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.30/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.30/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.30/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.30/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.30/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.30/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.30/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.30/fail/sysctls0.yaml | 15 +++ .../v1.30/fail/windowshostprocess0.yaml | 19 ++++ .../v1.30/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.30/pass/apparmorprofile0.yaml | 13 +++ test/testdata/baseline/v1.30/pass/base.yaml | 11 +++ .../v1.30/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.30/pass/hostports0.yaml | 15 +++ .../baseline/v1.30/pass/privileged0.yaml | 16 +++ .../baseline/v1.30/pass/procmount0.yaml | 17 ++++ .../v1.30/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.30/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.30/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.30/pass/sysctls0.yaml | 12 +++ .../baseline/v1.30/pass/sysctls1.yaml | 33 +++++++ .../baseline/v1.31/fail/apparmorprofile0.yaml | 13 +++ .../baseline/v1.31/fail/apparmorprofile1.yaml | 13 +++ .../v1.31/fail/capabilities_baseline0.yaml | 18 ++++ .../v1.31/fail/capabilities_baseline1.yaml | 18 ++++ .../v1.31/fail/capabilities_baseline2.yaml | 18 ++++ .../v1.31/fail/capabilities_baseline3.yaml | 18 ++++ .../baseline/v1.31/fail/hostnamespaces0.yaml | 12 +++ .../baseline/v1.31/fail/hostnamespaces1.yaml | 12 +++ .../baseline/v1.31/fail/hostnamespaces2.yaml | 12 +++ .../baseline/v1.31/fail/hostpathvolumes0.yaml | 17 ++++ .../baseline/v1.31/fail/hostpathvolumes1.yaml | 18 ++++ .../baseline/v1.31/fail/hostports0.yaml | 14 +++ .../baseline/v1.31/fail/hostports1.yaml | 14 +++ .../baseline/v1.31/fail/hostports2.yaml | 19 ++++ .../baseline/v1.31/fail/privileged0.yaml | 15 +++ .../baseline/v1.31/fail/privileged1.yaml | 15 +++ .../baseline/v1.31/fail/procmount0.yaml | 16 +++ .../baseline/v1.31/fail/procmount1.yaml | 16 +++ .../v1.31/fail/seccompprofile_baseline0.yaml | 16 +++ .../v1.31/fail/seccompprofile_baseline1.yaml | 16 +++ .../v1.31/fail/seccompprofile_baseline2.yaml | 16 +++ .../baseline/v1.31/fail/selinuxoptions0.yaml | 18 ++++ .../baseline/v1.31/fail/selinuxoptions1.yaml | 18 ++++ .../baseline/v1.31/fail/selinuxoptions2.yaml | 18 ++++ .../baseline/v1.31/fail/selinuxoptions3.yaml | 18 ++++ .../baseline/v1.31/fail/selinuxoptions4.yaml | 18 ++++ .../baseline/v1.31/fail/sysctls0.yaml | 15 +++ .../v1.31/fail/windowshostprocess0.yaml | 19 ++++ .../v1.31/fail/windowshostprocess1.yaml | 20 ++++ .../baseline/v1.31/pass/apparmorprofile0.yaml | 13 +++ test/testdata/baseline/v1.31/pass/base.yaml | 11 +++ .../v1.31/pass/capabilities_baseline0.yaml | 44 +++++++++ .../baseline/v1.31/pass/hostports0.yaml | 15 +++ .../baseline/v1.31/pass/privileged0.yaml | 16 +++ .../baseline/v1.31/pass/procmount0.yaml | 17 ++++ .../v1.31/pass/seccompprofile_baseline0.yaml | 18 ++++ .../baseline/v1.31/pass/selinuxoptions0.yaml | 15 +++ .../baseline/v1.31/pass/selinuxoptions1.yaml | 21 ++++ .../baseline/v1.31/pass/sysctls0.yaml | 12 +++ .../baseline/v1.31/pass/sysctls1.yaml | 33 +++++++ .../v1.30/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.30/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.30/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.30/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.30/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.30/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.30/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.30/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.30/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.30/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.30/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.30/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.30/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.30/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.30/fail/hostnamespaces0.yaml | 26 +++++ .../v1.30/fail/hostnamespaces1.yaml | 26 +++++ .../v1.30/fail/hostnamespaces2.yaml | 26 +++++ .../v1.30/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.30/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.30/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.30/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.30/fail/hostports2.yaml | 33 +++++++ .../restricted/v1.30/fail/privileged0.yaml | 25 +++++ .../restricted/v1.30/fail/privileged1.yaml | 25 +++++ .../restricted/v1.30/fail/procmount0.yaml | 27 ++++++ .../restricted/v1.30/fail/procmount1.yaml | 27 ++++++ .../v1.30/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.30/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.30/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.30/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.30/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.30/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.30/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.30/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.30/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.30/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.30/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.30/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.30/fail/runasuser2.yaml | 26 +++++ .../v1.30/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.30/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.30/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.30/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.30/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.30/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.30/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.30/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.30/fail/sysctls0.yaml | 28 ++++++ .../v1.30/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.30/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.30/pass/apparmorprofile0.yaml | 27 ++++++ test/testdata/restricted/v1.30/pass/base.yaml | 25 +++++ .../restricted/v1.30/pass/base_linux.yaml | 27 ++++++ .../restricted/v1.30/pass/base_windows.yaml | 15 +++ .../v1.30/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.30/pass/hostports0.yaml | 29 ++++++ .../restricted/v1.30/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.30/pass/procmount0.yaml | 28 ++++++ .../v1.30/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.30/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.30/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.30/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.30/pass/selinuxoptions0.yaml | 26 +++++ .../v1.30/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.30/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.30/pass/sysctls1.yaml | 46 +++++++++ .../v1.31/fail/allowprivilegeescalation0.yaml | 25 +++++ .../v1.31/fail/allowprivilegeescalation1.yaml | 25 +++++ .../v1.31/fail/allowprivilegeescalation2.yaml | 24 +++++ .../v1.31/fail/allowprivilegeescalation3.yaml | 20 ++++ .../v1.31/fail/apparmorprofile0.yaml | 27 ++++++ .../v1.31/fail/apparmorprofile1.yaml | 27 ++++++ .../v1.31/fail/capabilities_baseline0.yaml | 27 ++++++ .../v1.31/fail/capabilities_baseline1.yaml | 27 ++++++ .../v1.31/fail/capabilities_baseline2.yaml | 27 ++++++ .../v1.31/fail/capabilities_baseline3.yaml | 27 ++++++ .../v1.31/fail/capabilities_restricted0.yaml | 23 +++++ .../v1.31/fail/capabilities_restricted1.yaml | 23 +++++ .../v1.31/fail/capabilities_restricted2.yaml | 97 +++++++++++++++++++ .../v1.31/fail/capabilities_restricted3.yaml | 53 ++++++++++ .../v1.31/fail/hostnamespaces0.yaml | 26 +++++ .../v1.31/fail/hostnamespaces1.yaml | 26 +++++ .../v1.31/fail/hostnamespaces2.yaml | 26 +++++ .../v1.31/fail/hostpathvolumes0.yaml | 31 ++++++ .../v1.31/fail/hostpathvolumes1.yaml | 32 ++++++ .../restricted/v1.31/fail/hostports0.yaml | 28 ++++++ .../restricted/v1.31/fail/hostports1.yaml | 28 ++++++ .../restricted/v1.31/fail/hostports2.yaml | 33 +++++++ .../restricted/v1.31/fail/privileged0.yaml | 25 +++++ .../restricted/v1.31/fail/privileged1.yaml | 25 +++++ .../restricted/v1.31/fail/procmount0.yaml | 27 ++++++ .../restricted/v1.31/fail/procmount1.yaml | 27 ++++++ .../v1.31/fail/restrictedvolumes0.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes1.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes10.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes11.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes12.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes13.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes14.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes15.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes16.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes17.yaml | 32 ++++++ .../v1.31/fail/restrictedvolumes18.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes19.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes2.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes3.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes4.yaml | 31 ++++++ .../v1.31/fail/restrictedvolumes5.yaml | 30 ++++++ .../v1.31/fail/restrictedvolumes6.yaml | 31 ++++++ .../v1.31/fail/restrictedvolumes7.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes8.yaml | 29 ++++++ .../v1.31/fail/restrictedvolumes9.yaml | 30 ++++++ .../restricted/v1.31/fail/runasnonroot0.yaml | 24 +++++ .../restricted/v1.31/fail/runasnonroot1.yaml | 25 +++++ .../restricted/v1.31/fail/runasnonroot2.yaml | 26 +++++ .../restricted/v1.31/fail/runasnonroot3.yaml | 26 +++++ .../restricted/v1.31/fail/runasuser0.yaml | 26 +++++ .../restricted/v1.31/fail/runasuser1.yaml | 26 +++++ .../restricted/v1.31/fail/runasuser2.yaml | 26 +++++ .../v1.31/fail/seccompprofile_baseline0.yaml | 25 +++++ .../v1.31/fail/seccompprofile_baseline1.yaml | 27 ++++++ .../v1.31/fail/seccompprofile_baseline2.yaml | 27 ++++++ .../fail/seccompprofile_restricted0.yaml | 23 +++++ .../fail/seccompprofile_restricted1.yaml | 25 +++++ .../fail/seccompprofile_restricted2.yaml | 25 +++++ .../fail/seccompprofile_restricted3.yaml | 25 +++++ .../fail/seccompprofile_restricted4.yaml | 27 ++++++ .../v1.31/fail/selinuxoptions0.yaml | 29 ++++++ .../v1.31/fail/selinuxoptions1.yaml | 29 ++++++ .../v1.31/fail/selinuxoptions2.yaml | 29 ++++++ .../v1.31/fail/selinuxoptions3.yaml | 29 ++++++ .../v1.31/fail/selinuxoptions4.yaml | 29 ++++++ .../restricted/v1.31/fail/sysctls0.yaml | 28 ++++++ .../v1.31/fail/windowshostprocess0.yaml | 30 ++++++ .../v1.31/fail/windowshostprocess1.yaml | 31 ++++++ .../v1.31/pass/apparmorprofile0.yaml | 27 ++++++ test/testdata/restricted/v1.31/pass/base.yaml | 25 +++++ .../restricted/v1.31/pass/base_linux.yaml | 27 ++++++ .../restricted/v1.31/pass/base_windows.yaml | 15 +++ .../v1.31/pass/capabilities_restricted0.yaml | 29 ++++++ .../restricted/v1.31/pass/hostports0.yaml | 29 ++++++ .../restricted/v1.31/pass/privileged0.yaml | 27 ++++++ .../restricted/v1.31/pass/procmount0.yaml | 28 ++++++ .../v1.31/pass/restrictedvolumes0.yaml | 47 +++++++++ .../restricted/v1.31/pass/runasnonroot0.yaml | 25 +++++ .../restricted/v1.31/pass/runasnonroot1.yaml | 26 +++++ .../restricted/v1.31/pass/runasuser0.yaml | 28 ++++++ .../pass/seccompprofile_restricted0.yaml | 25 +++++ .../pass/seccompprofile_restricted1.yaml | 26 +++++ .../pass/seccompprofile_restricted2.yaml | 28 ++++++ .../v1.31/pass/selinuxoptions0.yaml | 26 +++++ .../v1.31/pass/selinuxoptions1.yaml | 32 ++++++ .../restricted/v1.31/pass/sysctls0.yaml | 25 +++++ .../restricted/v1.31/pass/sysctls1.yaml | 46 +++++++++ 257 files changed, 6449 insertions(+), 1 deletion(-) create mode 100755 test/testdata/baseline/v1.30/fail/apparmorprofile0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/apparmorprofile1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/capabilities_baseline0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/capabilities_baseline1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/capabilities_baseline2.yaml create mode 100755 test/testdata/baseline/v1.30/fail/capabilities_baseline3.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostnamespaces0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostnamespaces1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostnamespaces2.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostpathvolumes0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostpathvolumes1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostports0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostports1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/hostports2.yaml create mode 100755 test/testdata/baseline/v1.30/fail/privileged0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/privileged1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/procmount0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/procmount1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/seccompprofile_baseline0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/seccompprofile_baseline1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/seccompprofile_baseline2.yaml create mode 100755 test/testdata/baseline/v1.30/fail/selinuxoptions0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/selinuxoptions1.yaml create mode 100755 test/testdata/baseline/v1.30/fail/selinuxoptions2.yaml create mode 100755 test/testdata/baseline/v1.30/fail/selinuxoptions3.yaml create mode 100755 test/testdata/baseline/v1.30/fail/selinuxoptions4.yaml create mode 100755 test/testdata/baseline/v1.30/fail/sysctls0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/windowshostprocess0.yaml create mode 100755 test/testdata/baseline/v1.30/fail/windowshostprocess1.yaml create mode 100755 test/testdata/baseline/v1.30/pass/apparmorprofile0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/base.yaml create mode 100755 test/testdata/baseline/v1.30/pass/capabilities_baseline0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/hostports0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/privileged0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/procmount0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/seccompprofile_baseline0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/selinuxoptions0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/selinuxoptions1.yaml create mode 100755 test/testdata/baseline/v1.30/pass/sysctls0.yaml create mode 100755 test/testdata/baseline/v1.30/pass/sysctls1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/apparmorprofile0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/apparmorprofile1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/capabilities_baseline0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/capabilities_baseline1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/capabilities_baseline2.yaml create mode 100755 test/testdata/baseline/v1.31/fail/capabilities_baseline3.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostnamespaces0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostnamespaces1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostnamespaces2.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostpathvolumes0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostpathvolumes1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostports0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostports1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/hostports2.yaml create mode 100755 test/testdata/baseline/v1.31/fail/privileged0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/privileged1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/procmount0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/procmount1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/seccompprofile_baseline0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/seccompprofile_baseline1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/seccompprofile_baseline2.yaml create mode 100755 test/testdata/baseline/v1.31/fail/selinuxoptions0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/selinuxoptions1.yaml create mode 100755 test/testdata/baseline/v1.31/fail/selinuxoptions2.yaml create mode 100755 test/testdata/baseline/v1.31/fail/selinuxoptions3.yaml create mode 100755 test/testdata/baseline/v1.31/fail/selinuxoptions4.yaml create mode 100755 test/testdata/baseline/v1.31/fail/sysctls0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/windowshostprocess0.yaml create mode 100755 test/testdata/baseline/v1.31/fail/windowshostprocess1.yaml create mode 100755 test/testdata/baseline/v1.31/pass/apparmorprofile0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/base.yaml create mode 100755 test/testdata/baseline/v1.31/pass/capabilities_baseline0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/hostports0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/privileged0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/procmount0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/seccompprofile_baseline0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/selinuxoptions0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/selinuxoptions1.yaml create mode 100755 test/testdata/baseline/v1.31/pass/sysctls0.yaml create mode 100755 test/testdata/baseline/v1.31/pass/sysctls1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/allowprivilegeescalation0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/allowprivilegeescalation1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/allowprivilegeescalation2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/allowprivilegeescalation3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/apparmorprofile0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/apparmorprofile1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_baseline0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_baseline1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_baseline2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_baseline3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_restricted0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_restricted1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_restricted2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/capabilities_restricted3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostnamespaces0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostnamespaces1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostnamespaces2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostpathvolumes0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostpathvolumes1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostports0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostports1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/hostports2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/privileged0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/privileged1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/procmount0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/procmount1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes10.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes11.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes12.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes13.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes14.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes15.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes16.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes17.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes18.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes19.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes4.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes5.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes6.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes7.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes8.yaml create mode 100755 test/testdata/restricted/v1.30/fail/restrictedvolumes9.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasnonroot0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasnonroot1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasnonroot2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasnonroot3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasuser0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasuser1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/runasuser2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_baseline0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_baseline1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_baseline2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_restricted0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_restricted1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_restricted2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_restricted3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/seccompprofile_restricted4.yaml create mode 100755 test/testdata/restricted/v1.30/fail/selinuxoptions0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/selinuxoptions1.yaml create mode 100755 test/testdata/restricted/v1.30/fail/selinuxoptions2.yaml create mode 100755 test/testdata/restricted/v1.30/fail/selinuxoptions3.yaml create mode 100755 test/testdata/restricted/v1.30/fail/selinuxoptions4.yaml create mode 100755 test/testdata/restricted/v1.30/fail/sysctls0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/windowshostprocess0.yaml create mode 100755 test/testdata/restricted/v1.30/fail/windowshostprocess1.yaml create mode 100755 test/testdata/restricted/v1.30/pass/apparmorprofile0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/base.yaml create mode 100755 test/testdata/restricted/v1.30/pass/base_linux.yaml create mode 100755 test/testdata/restricted/v1.30/pass/base_windows.yaml create mode 100755 test/testdata/restricted/v1.30/pass/capabilities_restricted0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/hostports0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/privileged0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/procmount0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/restrictedvolumes0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/runasnonroot0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/runasnonroot1.yaml create mode 100755 test/testdata/restricted/v1.30/pass/runasuser0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/seccompprofile_restricted0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/seccompprofile_restricted1.yaml create mode 100755 test/testdata/restricted/v1.30/pass/seccompprofile_restricted2.yaml create mode 100755 test/testdata/restricted/v1.30/pass/selinuxoptions0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/selinuxoptions1.yaml create mode 100755 test/testdata/restricted/v1.30/pass/sysctls0.yaml create mode 100755 test/testdata/restricted/v1.30/pass/sysctls1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/allowprivilegeescalation0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/allowprivilegeescalation1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/allowprivilegeescalation2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/allowprivilegeescalation3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/apparmorprofile0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/apparmorprofile1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_baseline0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_baseline1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_baseline2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_baseline3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_restricted0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_restricted1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_restricted2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/capabilities_restricted3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostnamespaces0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostnamespaces1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostnamespaces2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostpathvolumes0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostpathvolumes1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostports0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostports1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/hostports2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/privileged0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/privileged1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/procmount0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/procmount1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes10.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes11.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes12.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes13.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes14.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes15.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes16.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes17.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes18.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes19.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes4.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes5.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes6.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes7.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes8.yaml create mode 100755 test/testdata/restricted/v1.31/fail/restrictedvolumes9.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasnonroot0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasnonroot1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasnonroot2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasnonroot3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasuser0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasuser1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/runasuser2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_baseline0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_baseline1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_baseline2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_restricted0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_restricted1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_restricted2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_restricted3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/seccompprofile_restricted4.yaml create mode 100755 test/testdata/restricted/v1.31/fail/selinuxoptions0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/selinuxoptions1.yaml create mode 100755 test/testdata/restricted/v1.31/fail/selinuxoptions2.yaml create mode 100755 test/testdata/restricted/v1.31/fail/selinuxoptions3.yaml create mode 100755 test/testdata/restricted/v1.31/fail/selinuxoptions4.yaml create mode 100755 test/testdata/restricted/v1.31/fail/sysctls0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/windowshostprocess0.yaml create mode 100755 test/testdata/restricted/v1.31/fail/windowshostprocess1.yaml create mode 100755 test/testdata/restricted/v1.31/pass/apparmorprofile0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/base.yaml create mode 100755 test/testdata/restricted/v1.31/pass/base_linux.yaml create mode 100755 test/testdata/restricted/v1.31/pass/base_windows.yaml create mode 100755 test/testdata/restricted/v1.31/pass/capabilities_restricted0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/hostports0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/privileged0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/procmount0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/restrictedvolumes0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/runasnonroot0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/runasnonroot1.yaml create mode 100755 test/testdata/restricted/v1.31/pass/runasuser0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/seccompprofile_restricted0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/seccompprofile_restricted1.yaml create mode 100755 test/testdata/restricted/v1.31/pass/seccompprofile_restricted2.yaml create mode 100755 test/testdata/restricted/v1.31/pass/selinuxoptions0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/selinuxoptions1.yaml create mode 100755 test/testdata/restricted/v1.31/pass/sysctls0.yaml create mode 100755 test/testdata/restricted/v1.31/pass/sysctls1.yaml diff --git a/test/run.go b/test/run.go index ac25ae9..56ccbf9 100644 --- a/test/run.go +++ b/test/run.go @@ -37,7 +37,7 @@ import ( ) const ( - newestMinorVersionToTest = 29 + newestMinorVersionToTest = 31 podOSBasedRestrictionEnabledVersion = 29 ) diff --git a/test/testdata/baseline/v1.30/fail/apparmorprofile0.yaml b/test/testdata/baseline/v1.30/fail/apparmorprofile0.yaml new file mode 100755 index 0000000..87475d3 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/apparmorprofile1.yaml b/test/testdata/baseline/v1.30/fail/apparmorprofile1.yaml new file mode 100755 index 0000000..5940a63 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/capabilities_baseline0.yaml b/test/testdata/baseline/v1.30/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000..e01a9de --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/capabilities_baseline1.yaml b/test/testdata/baseline/v1.30/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000..92239d1 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/capabilities_baseline2.yaml b/test/testdata/baseline/v1.30/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000..089d8c1 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/capabilities_baseline3.yaml b/test/testdata/baseline/v1.30/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000..4befa1e --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/hostnamespaces0.yaml b/test/testdata/baseline/v1.30/fail/hostnamespaces0.yaml new file mode 100755 index 0000000..1c4ca9a --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/hostnamespaces1.yaml b/test/testdata/baseline/v1.30/fail/hostnamespaces1.yaml new file mode 100755 index 0000000..7967a6d --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/hostnamespaces2.yaml b/test/testdata/baseline/v1.30/fail/hostnamespaces2.yaml new file mode 100755 index 0000000..0003966 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/hostpathvolumes0.yaml b/test/testdata/baseline/v1.30/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000..7f02613 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/test/testdata/baseline/v1.30/fail/hostpathvolumes1.yaml b/test/testdata/baseline/v1.30/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000..382d27f --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/test/testdata/baseline/v1.30/fail/hostports0.yaml b/test/testdata/baseline/v1.30/fail/hostports0.yaml new file mode 100755 index 0000000..ebfdcd4 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/fail/hostports1.yaml b/test/testdata/baseline/v1.30/fail/hostports1.yaml new file mode 100755 index 0000000..d9a2b97 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/test/testdata/baseline/v1.30/fail/hostports2.yaml b/test/testdata/baseline/v1.30/fail/hostports2.yaml new file mode 100755 index 0000000..61b3388 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/test/testdata/baseline/v1.30/fail/privileged0.yaml b/test/testdata/baseline/v1.30/fail/privileged0.yaml new file mode 100755 index 0000000..e5cc7b9 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/privileged1.yaml b/test/testdata/baseline/v1.30/fail/privileged1.yaml new file mode 100755 index 0000000..31935b9 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/procmount0.yaml b/test/testdata/baseline/v1.30/fail/procmount0.yaml new file mode 100755 index 0000000..b443b30 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/procmount1.yaml b/test/testdata/baseline/v1.30/fail/procmount1.yaml new file mode 100755 index 0000000..f5d907d --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/seccompprofile_baseline0.yaml b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..f455958 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/testdata/baseline/v1.30/fail/seccompprofile_baseline1.yaml b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000..8a86112 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/seccompprofile_baseline2.yaml b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000..2182255 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/test/testdata/baseline/v1.30/fail/selinuxoptions0.yaml b/test/testdata/baseline/v1.30/fail/selinuxoptions0.yaml new file mode 100755 index 0000000..f330707 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/test/testdata/baseline/v1.30/fail/selinuxoptions1.yaml b/test/testdata/baseline/v1.30/fail/selinuxoptions1.yaml new file mode 100755 index 0000000..6629d05 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/test/testdata/baseline/v1.30/fail/selinuxoptions2.yaml b/test/testdata/baseline/v1.30/fail/selinuxoptions2.yaml new file mode 100755 index 0000000..65876a9 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/test/testdata/baseline/v1.30/fail/selinuxoptions3.yaml b/test/testdata/baseline/v1.30/fail/selinuxoptions3.yaml new file mode 100755 index 0000000..71d89fb --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/test/testdata/baseline/v1.30/fail/selinuxoptions4.yaml b/test/testdata/baseline/v1.30/fail/selinuxoptions4.yaml new file mode 100755 index 0000000..74e05cb --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/test/testdata/baseline/v1.30/fail/sysctls0.yaml b/test/testdata/baseline/v1.30/fail/sysctls0.yaml new file mode 100755 index 0000000..81508d6 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/test/testdata/baseline/v1.30/fail/windowshostprocess0.yaml b/test/testdata/baseline/v1.30/fail/windowshostprocess0.yaml new file mode 100755 index 0000000..1e506b1 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/testdata/baseline/v1.30/fail/windowshostprocess1.yaml b/test/testdata/baseline/v1.30/fail/windowshostprocess1.yaml new file mode 100755 index 0000000..1a9d3e9 --- /dev/null +++ b/test/testdata/baseline/v1.30/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/test/testdata/baseline/v1.30/pass/apparmorprofile0.yaml b/test/testdata/baseline/v1.30/pass/apparmorprofile0.yaml new file mode 100755 index 0000000..213a6a6 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/pass/base.yaml b/test/testdata/baseline/v1.30/pass/base.yaml new file mode 100755 index 0000000..387a4be --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.30/pass/capabilities_baseline0.yaml b/test/testdata/baseline/v1.30/pass/capabilities_baseline0.yaml new file mode 100755 index 0000000..df93c1c --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/test/testdata/baseline/v1.30/pass/hostports0.yaml b/test/testdata/baseline/v1.30/pass/hostports0.yaml new file mode 100755 index 0000000..61fddcc --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/test/testdata/baseline/v1.30/pass/privileged0.yaml b/test/testdata/baseline/v1.30/pass/privileged0.yaml new file mode 100755 index 0000000..0b64b68 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/test/testdata/baseline/v1.30/pass/procmount0.yaml b/test/testdata/baseline/v1.30/pass/procmount0.yaml new file mode 100755 index 0000000..5346851 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/test/testdata/baseline/v1.30/pass/seccompprofile_baseline0.yaml b/test/testdata/baseline/v1.30/pass/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..2e05d16 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/baseline/v1.30/pass/selinuxoptions0.yaml b/test/testdata/baseline/v1.30/pass/selinuxoptions0.yaml new file mode 100755 index 0000000..dafa4db --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.30/pass/selinuxoptions1.yaml b/test/testdata/baseline/v1.30/pass/selinuxoptions1.yaml new file mode 100755 index 0000000..a2688f5 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/test/testdata/baseline/v1.30/pass/sysctls0.yaml b/test/testdata/baseline/v1.30/pass/sysctls0.yaml new file mode 100755 index 0000000..2148dc0 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/test/testdata/baseline/v1.30/pass/sysctls1.yaml b/test/testdata/baseline/v1.30/pass/sysctls1.yaml new file mode 100755 index 0000000..f8e68e6 --- /dev/null +++ b/test/testdata/baseline/v1.30/pass/sysctls1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999 + - name: net.ipv4.tcp_keepalive_time + value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9" diff --git a/test/testdata/baseline/v1.31/fail/apparmorprofile0.yaml b/test/testdata/baseline/v1.31/fail/apparmorprofile0.yaml new file mode 100755 index 0000000..87475d3 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/apparmorprofile1.yaml b/test/testdata/baseline/v1.31/fail/apparmorprofile1.yaml new file mode 100755 index 0000000..5940a63 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/apparmorprofile1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/capabilities_baseline0.yaml b/test/testdata/baseline/v1.31/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000..e01a9de --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/capabilities_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - NET_RAW + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/capabilities_baseline1.yaml b/test/testdata/baseline/v1.31/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000..92239d1 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/capabilities_baseline1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - NET_RAW + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/capabilities_baseline2.yaml b/test/testdata/baseline/v1.31/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000..089d8c1 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/capabilities_baseline2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - chown + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/capabilities_baseline3.yaml b/test/testdata/baseline/v1.31/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000..4befa1e --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/capabilities_baseline3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - CAP_CHOWN + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/hostnamespaces0.yaml b/test/testdata/baseline/v1.31/fail/hostnamespaces0.yaml new file mode 100755 index 0000000..1c4ca9a --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostnamespaces0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/hostnamespaces1.yaml b/test/testdata/baseline/v1.31/fail/hostnamespaces1.yaml new file mode 100755 index 0000000..7967a6d --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostnamespaces1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/hostnamespaces2.yaml b/test/testdata/baseline/v1.31/fail/hostnamespaces2.yaml new file mode 100755 index 0000000..0003966 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostnamespaces2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/hostpathvolumes0.yaml b/test/testdata/baseline/v1.31/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000..7f02613 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostpathvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/test/testdata/baseline/v1.31/fail/hostpathvolumes1.yaml b/test/testdata/baseline/v1.31/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000..382d27f --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostpathvolumes1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/test/testdata/baseline/v1.31/fail/hostports0.yaml b/test/testdata/baseline/v1.31/fail/hostports0.yaml new file mode 100755 index 0000000..ebfdcd4 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostports0.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/fail/hostports1.yaml b/test/testdata/baseline/v1.31/fail/hostports1.yaml new file mode 100755 index 0000000..d9a2b97 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostports1.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 diff --git a/test/testdata/baseline/v1.31/fail/hostports2.yaml b/test/testdata/baseline/v1.31/fail/hostports2.yaml new file mode 100755 index 0000000..61b3388 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/hostports2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 diff --git a/test/testdata/baseline/v1.31/fail/privileged0.yaml b/test/testdata/baseline/v1.31/fail/privileged0.yaml new file mode 100755 index 0000000..e5cc7b9 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/privileged0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/privileged1.yaml b/test/testdata/baseline/v1.31/fail/privileged1.yaml new file mode 100755 index 0000000..31935b9 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/privileged1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: true + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/procmount0.yaml b/test/testdata/baseline/v1.31/fail/procmount0.yaml new file mode 100755 index 0000000..b443b30 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/procmount0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/procmount1.yaml b/test/testdata/baseline/v1.31/fail/procmount1.yaml new file mode 100755 index 0000000..f5d907d --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/procmount1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Unmasked + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/seccompprofile_baseline0.yaml b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..f455958 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/test/testdata/baseline/v1.31/fail/seccompprofile_baseline1.yaml b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000..8a86112 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/seccompprofile_baseline2.yaml b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000..2182255 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/test/testdata/baseline/v1.31/fail/selinuxoptions0.yaml b/test/testdata/baseline/v1.31/fail/selinuxoptions0.yaml new file mode 100755 index 0000000..f330707 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/selinuxoptions0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + type: somevalue diff --git a/test/testdata/baseline/v1.31/fail/selinuxoptions1.yaml b/test/testdata/baseline/v1.31/fail/selinuxoptions1.yaml new file mode 100755 index 0000000..6629d05 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/selinuxoptions1.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: {} diff --git a/test/testdata/baseline/v1.31/fail/selinuxoptions2.yaml b/test/testdata/baseline/v1.31/fail/selinuxoptions2.yaml new file mode 100755 index 0000000..65876a9 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/selinuxoptions2.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: somevalue + securityContext: + seLinuxOptions: {} diff --git a/test/testdata/baseline/v1.31/fail/selinuxoptions3.yaml b/test/testdata/baseline/v1.31/fail/selinuxoptions3.yaml new file mode 100755 index 0000000..71d89fb --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/selinuxoptions3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + user: somevalue diff --git a/test/testdata/baseline/v1.31/fail/selinuxoptions4.yaml b/test/testdata/baseline/v1.31/fail/selinuxoptions4.yaml new file mode 100755 index 0000000..74e05cb --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/selinuxoptions4.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: + seLinuxOptions: + role: somevalue diff --git a/test/testdata/baseline/v1.31/fail/sysctls0.yaml b/test/testdata/baseline/v1.31/fail/sysctls0.yaml new file mode 100755 index 0000000..81508d6 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/sysctls0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: othersysctl + value: other diff --git a/test/testdata/baseline/v1.31/fail/windowshostprocess0.yaml b/test/testdata/baseline/v1.31/fail/windowshostprocess0.yaml new file mode 100755 index 0000000..1e506b1 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/windowshostprocess0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: {} + securityContext: + windowsOptions: + hostProcess: true diff --git a/test/testdata/baseline/v1.31/fail/windowshostprocess1.yaml b/test/testdata/baseline/v1.31/fail/windowshostprocess1.yaml new file mode 100755 index 0000000..1a9d3e9 --- /dev/null +++ b/test/testdata/baseline/v1.31/fail/windowshostprocess1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + windowsOptions: + hostProcess: true + securityContext: + windowsOptions: {} diff --git a/test/testdata/baseline/v1.31/pass/apparmorprofile0.yaml b/test/testdata/baseline/v1.31/pass/apparmorprofile0.yaml new file mode 100755 index 0000000..213a6a6 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/apparmorprofile0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/pass/base.yaml b/test/testdata/baseline/v1.31/pass/base.yaml new file mode 100755 index 0000000..387a4be --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/base.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 diff --git a/test/testdata/baseline/v1.31/pass/capabilities_baseline0.yaml b/test/testdata/baseline/v1.31/pass/capabilities_baseline0.yaml new file mode 100755 index 0000000..df93c1c --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/capabilities_baseline0.yaml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + securityContext: {} diff --git a/test/testdata/baseline/v1.31/pass/hostports0.yaml b/test/testdata/baseline/v1.31/pass/hostports0.yaml new file mode 100755 index 0000000..61fddcc --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/hostports0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 diff --git a/test/testdata/baseline/v1.31/pass/privileged0.yaml b/test/testdata/baseline/v1.31/pass/privileged0.yaml new file mode 100755 index 0000000..0b64b68 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/privileged0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + privileged: false + securityContext: {} diff --git a/test/testdata/baseline/v1.31/pass/procmount0.yaml b/test/testdata/baseline/v1.31/pass/procmount0.yaml new file mode 100755 index 0000000..5346851 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/procmount0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + procMount: Default + securityContext: {} diff --git a/test/testdata/baseline/v1.31/pass/seccompprofile_baseline0.yaml b/test/testdata/baseline/v1.31/pass/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..2e05d16 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/seccompprofile_baseline0.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/baseline/v1.31/pass/selinuxoptions0.yaml b/test/testdata/baseline/v1.31/pass/selinuxoptions0.yaml new file mode 100755 index 0000000..dafa4db --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/selinuxoptions0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: {} + securityContext: {} diff --git a/test/testdata/baseline/v1.31/pass/selinuxoptions1.yaml b/test/testdata/baseline/v1.31/pass/selinuxoptions1.yaml new file mode 100755 index 0000000..a2688f5 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/selinuxoptions1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + seLinuxOptions: + type: container_kvm_t + securityContext: + seLinuxOptions: + type: container_t diff --git a/test/testdata/baseline/v1.31/pass/sysctls0.yaml b/test/testdata/baseline/v1.31/pass/sysctls0.yaml new file mode 100755 index 0000000..2148dc0 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/sysctls0.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: {} diff --git a/test/testdata/baseline/v1.31/pass/sysctls1.yaml b/test/testdata/baseline/v1.31/pass/sysctls1.yaml new file mode 100755 index 0000000..f8e68e6 --- /dev/null +++ b/test/testdata/baseline/v1.31/pass/sysctls1.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999 + - name: net.ipv4.tcp_keepalive_time + value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9" diff --git a/test/testdata/restricted/v1.30/fail/allowprivilegeescalation0.yaml b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation0.yaml new file mode 100755 index 0000000..837b55a --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/allowprivilegeescalation1.yaml b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation1.yaml new file mode 100755 index 0000000..6189466 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/allowprivilegeescalation2.yaml b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation2.yaml new file mode 100755 index 0000000..9302cc6 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/allowprivilegeescalation3.yaml b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation3.yaml new file mode 100755 index 0000000..083ce35 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/apparmorprofile0.yaml b/test/testdata/restricted/v1.30/fail/apparmorprofile0.yaml new file mode 100755 index 0000000..14de67e --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/apparmorprofile1.yaml b/test/testdata/restricted/v1.30/fail/apparmorprofile1.yaml new file mode 100755 index 0000000..0e4313b --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_baseline0.yaml b/test/testdata/restricted/v1.30/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000..2be0164 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_baseline1.yaml b/test/testdata/restricted/v1.30/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000..f68d6b3 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_baseline2.yaml b/test/testdata/restricted/v1.30/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000..702bd87 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_baseline3.yaml b/test/testdata/restricted/v1.30/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000..3e6aa46 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_restricted0.yaml b/test/testdata/restricted/v1.30/fail/capabilities_restricted0.yaml new file mode 100755 index 0000000..857c11b --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_restricted1.yaml b/test/testdata/restricted/v1.30/fail/capabilities_restricted1.yaml new file mode 100755 index 0000000..9c98767 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_restricted2.yaml b/test/testdata/restricted/v1.30/fail/capabilities_restricted2.yaml new file mode 100755 index 0000000..be25f6a --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/capabilities_restricted3.yaml b/test/testdata/restricted/v1.30/fail/capabilities_restricted3.yaml new file mode 100755 index 0000000..517cc3c --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostnamespaces0.yaml b/test/testdata/restricted/v1.30/fail/hostnamespaces0.yaml new file mode 100755 index 0000000..c1a7b7a --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostnamespaces1.yaml b/test/testdata/restricted/v1.30/fail/hostnamespaces1.yaml new file mode 100755 index 0000000..caa294e --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostnamespaces2.yaml b/test/testdata/restricted/v1.30/fail/hostnamespaces2.yaml new file mode 100755 index 0000000..3235089 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostpathvolumes0.yaml b/test/testdata/restricted/v1.30/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000..86745e6 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/test/testdata/restricted/v1.30/fail/hostpathvolumes1.yaml b/test/testdata/restricted/v1.30/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000..bc7759c --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/test/testdata/restricted/v1.30/fail/hostports0.yaml b/test/testdata/restricted/v1.30/fail/hostports0.yaml new file mode 100755 index 0000000..9bf9055 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostports1.yaml b/test/testdata/restricted/v1.30/fail/hostports1.yaml new file mode 100755 index 0000000..ddecbf4 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/hostports2.yaml b/test/testdata/restricted/v1.30/fail/hostports2.yaml new file mode 100755 index 0000000..ed9f692 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/privileged0.yaml b/test/testdata/restricted/v1.30/fail/privileged0.yaml new file mode 100755 index 0000000..7ad39f5 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/privileged1.yaml b/test/testdata/restricted/v1.30/fail/privileged1.yaml new file mode 100755 index 0000000..cb41dcb --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/procmount0.yaml b/test/testdata/restricted/v1.30/fail/procmount0.yaml new file mode 100755 index 0000000..2579076 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/procmount1.yaml b/test/testdata/restricted/v1.30/fail/procmount1.yaml new file mode 100755 index 0000000..04e8612 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/procmount1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes0.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes0.yaml new file mode 100755 index 0000000..5a95336 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes1.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes1.yaml new file mode 100755 index 0000000..153326f --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes10.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes10.yaml new file mode 100755 index 0000000..f34afe6 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes11.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes11.yaml new file mode 100755 index 0000000..384e06f --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes12.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes12.yaml new file mode 100755 index 0000000..8757fbf --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes13.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes13.yaml new file mode 100755 index 0000000..9e2086d --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes14.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes14.yaml new file mode 100755 index 0000000..d8b9605 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes15.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes15.yaml new file mode 100755 index 0000000..f3462ab --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes16.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes16.yaml new file mode 100755 index 0000000..d83daa6 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes17.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes17.yaml new file mode 100755 index 0000000..23f6b77 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes18.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes18.yaml new file mode 100755 index 0000000..ca5d93f --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes19.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes19.yaml new file mode 100755 index 0000000..4ca4381 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes2.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes2.yaml new file mode 100755 index 0000000..9154458 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes3.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes3.yaml new file mode 100755 index 0000000..f1060bc --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes4.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes4.yaml new file mode 100755 index 0000000..3a14474 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes5.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes5.yaml new file mode 100755 index 0000000..e64cbe9 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes6.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes6.yaml new file mode 100755 index 0000000..4d596c9 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes7.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes7.yaml new file mode 100755 index 0000000..c3887a3 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes8.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes8.yaml new file mode 100755 index 0000000..e11afbb --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/restrictedvolumes9.yaml b/test/testdata/restricted/v1.30/fail/restrictedvolumes9.yaml new file mode 100755 index 0000000..8159a48 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/test/testdata/restricted/v1.30/fail/runasnonroot0.yaml b/test/testdata/restricted/v1.30/fail/runasnonroot0.yaml new file mode 100755 index 0000000..f460f65 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasnonroot1.yaml b/test/testdata/restricted/v1.30/fail/runasnonroot1.yaml new file mode 100755 index 0000000..2854097 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasnonroot2.yaml b/test/testdata/restricted/v1.30/fail/runasnonroot2.yaml new file mode 100755 index 0000000..067c797 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasnonroot3.yaml b/test/testdata/restricted/v1.30/fail/runasnonroot3.yaml new file mode 100755 index 0000000..5459f29 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasuser0.yaml b/test/testdata/restricted/v1.30/fail/runasuser0.yaml new file mode 100755 index 0000000..5f7c9e0 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasuser1.yaml b/test/testdata/restricted/v1.30/fail/runasuser1.yaml new file mode 100755 index 0000000..ff62334 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/runasuser2.yaml b/test/testdata/restricted/v1.30/fail/runasuser2.yaml new file mode 100755 index 0000000..26c7134 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_baseline0.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..0b875ce --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_baseline1.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000..3e63c31 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_baseline2.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000..4cd9940 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_restricted0.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted0.yaml new file mode 100755 index 0000000..64b5604 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_restricted1.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted1.yaml new file mode 100755 index 0000000..2ec3d48 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_restricted2.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted2.yaml new file mode 100755 index 0000000..c63c622 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_restricted3.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted3.yaml new file mode 100755 index 0000000..69c969f --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/fail/seccompprofile_restricted4.yaml b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted4.yaml new file mode 100755 index 0000000..b17bf76 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/fail/selinuxoptions0.yaml b/test/testdata/restricted/v1.30/fail/selinuxoptions0.yaml new file mode 100755 index 0000000..7135bb2 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/selinuxoptions1.yaml b/test/testdata/restricted/v1.30/fail/selinuxoptions1.yaml new file mode 100755 index 0000000..c99b8a5 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/selinuxoptions2.yaml b/test/testdata/restricted/v1.30/fail/selinuxoptions2.yaml new file mode 100755 index 0000000..f2eafc2 --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/selinuxoptions3.yaml b/test/testdata/restricted/v1.30/fail/selinuxoptions3.yaml new file mode 100755 index 0000000..1da063e --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/selinuxoptions4.yaml b/test/testdata/restricted/v1.30/fail/selinuxoptions4.yaml new file mode 100755 index 0000000..a4a38fb --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/fail/sysctls0.yaml b/test/testdata/restricted/v1.30/fail/sysctls0.yaml new file mode 100755 index 0000000..841f73d --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/test/testdata/restricted/v1.30/fail/windowshostprocess0.yaml b/test/testdata/restricted/v1.30/fail/windowshostprocess0.yaml new file mode 100755 index 0000000..4262e6a --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/test/testdata/restricted/v1.30/fail/windowshostprocess1.yaml b/test/testdata/restricted/v1.30/fail/windowshostprocess1.yaml new file mode 100755 index 0000000..ba1ce4a --- /dev/null +++ b/test/testdata/restricted/v1.30/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/test/testdata/restricted/v1.30/pass/apparmorprofile0.yaml b/test/testdata/restricted/v1.30/pass/apparmorprofile0.yaml new file mode 100755 index 0000000..53ebdaa --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/base.yaml b/test/testdata/restricted/v1.30/pass/base.yaml new file mode 100755 index 0000000..3b4f307 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/base_linux.yaml b/test/testdata/restricted/v1.30/pass/base_linux.yaml new file mode 100755 index 0000000..67563df --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/base_linux.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_linux +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + os: + name: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/base_windows.yaml b/test/testdata/restricted/v1.30/pass/base_windows.yaml new file mode 100755 index 0000000..2bc48b4 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/base_windows.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_windows +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + os: + name: windows + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/pass/capabilities_restricted0.yaml b/test/testdata/restricted/v1.30/pass/capabilities_restricted0.yaml new file mode 100755 index 0000000..8a70cb3 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/hostports0.yaml b/test/testdata/restricted/v1.30/pass/hostports0.yaml new file mode 100755 index 0000000..e7f1153 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/privileged0.yaml b/test/testdata/restricted/v1.30/pass/privileged0.yaml new file mode 100755 index 0000000..8e3aafd --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/procmount0.yaml b/test/testdata/restricted/v1.30/pass/procmount0.yaml new file mode 100755 index 0000000..5db5a5c --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/procmount0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/restrictedvolumes0.yaml b/test/testdata/restricted/v1.30/pass/restrictedvolumes0.yaml new file mode 100755 index 0000000..a117224 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/test/testdata/restricted/v1.30/pass/runasnonroot0.yaml b/test/testdata/restricted/v1.30/pass/runasnonroot0.yaml new file mode 100755 index 0000000..414ac79 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/runasnonroot1.yaml b/test/testdata/restricted/v1.30/pass/runasnonroot1.yaml new file mode 100755 index 0000000..549b013 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/runasuser0.yaml b/test/testdata/restricted/v1.30/pass/runasuser0.yaml new file mode 100755 index 0000000..ed7aff0 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/seccompprofile_restricted0.yaml b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted0.yaml new file mode 100755 index 0000000..f904065 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/seccompprofile_restricted1.yaml b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted1.yaml new file mode 100755 index 0000000..5a60fd7 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/test/testdata/restricted/v1.30/pass/seccompprofile_restricted2.yaml b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted2.yaml new file mode 100755 index 0000000..39d68e3 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.30/pass/selinuxoptions0.yaml b/test/testdata/restricted/v1.30/pass/selinuxoptions0.yaml new file mode 100755 index 0000000..a45080b --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/selinuxoptions1.yaml b/test/testdata/restricted/v1.30/pass/selinuxoptions1.yaml new file mode 100755 index 0000000..0a83656 --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/sysctls0.yaml b/test/testdata/restricted/v1.30/pass/sysctls0.yaml new file mode 100755 index 0000000..84224ff --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.30/pass/sysctls1.yaml b/test/testdata/restricted/v1.30/pass/sysctls1.yaml new file mode 100755 index 0000000..0fa413a --- /dev/null +++ b/test/testdata/restricted/v1.30/pass/sysctls1.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999 + - name: net.ipv4.tcp_keepalive_time + value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9" diff --git a/test/testdata/restricted/v1.31/fail/allowprivilegeescalation0.yaml b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation0.yaml new file mode 100755 index 0000000..837b55a --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/allowprivilegeescalation1.yaml b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation1.yaml new file mode 100755 index 0000000..6189466 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/allowprivilegeescalation2.yaml b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation2.yaml new file mode 100755 index 0000000..9302cc6 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation2.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/allowprivilegeescalation3.yaml b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation3.yaml new file mode 100755 index 0000000..083ce35 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/allowprivilegeescalation3.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: allowprivilegeescalation3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/apparmorprofile0.yaml b/test/testdata/restricted/v1.31/fail/apparmorprofile0.yaml new file mode 100755 index 0000000..14de67e --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: unconfined + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/apparmorprofile1.yaml b/test/testdata/restricted/v1.31/fail/apparmorprofile1.yaml new file mode 100755 index 0000000..0e4313b --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/apparmorprofile1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined + name: apparmorprofile1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_baseline0.yaml b/test/testdata/restricted/v1.31/fail/capabilities_baseline0.yaml new file mode 100755 index 0000000..2be0164 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_baseline0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_baseline1.yaml b/test/testdata/restricted/v1.31/fail/capabilities_baseline1.yaml new file mode 100755 index 0000000..f68d6b3 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_RAW + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_baseline2.yaml b/test/testdata/restricted/v1.31/fail/capabilities_baseline2.yaml new file mode 100755 index 0000000..702bd87 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - chown + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_baseline3.yaml b/test/testdata/restricted/v1.31/fail/capabilities_baseline3.yaml new file mode 100755 index 0000000..3e6aa46 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_baseline3.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_baseline3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - CAP_CHOWN + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_restricted0.yaml b/test/testdata/restricted/v1.31/fail/capabilities_restricted0.yaml new file mode 100755 index 0000000..857c11b --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_restricted1.yaml b/test/testdata/restricted/v1.31/fail/capabilities_restricted1.yaml new file mode 100755 index 0000000..9c98767 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_restricted1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_restricted2.yaml b/test/testdata/restricted/v1.31/fail/capabilities_restricted2.yaml new file mode 100755 index 0000000..be25f6a --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_restricted2.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - SYS_TIME + - SYS_MODULE + - SYS_RAWIO + - SYS_PACCT + - SYS_ADMIN + - SYS_NICE + - SYS_RESOURCE + - SYS_TIME + - SYS_TTY_CONFIG + - MKNOD + - AUDIT_WRITE + - AUDIT_CONTROL + - MAC_OVERRIDE + - MAC_ADMIN + - NET_ADMIN + - SYSLOG + - CHOWN + - NET_RAW + - DAC_OVERRIDE + - FOWNER + - DAC_READ_SEARCH + - FSETID + - KILL + - SETGID + - SETUID + - LINUX_IMMUTABLE + - NET_BIND_SERVICE + - NET_BROADCAST + - IPC_LOCK + - IPC_OWNER + - SYS_CHROOT + - SYS_PTRACE + - SYS_BOOT + - LEASE + - SETFCAP + - WAKE_ALARM + - BLOCK_SUSPEND + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/capabilities_restricted3.yaml b/test/testdata/restricted/v1.31/fail/capabilities_restricted3.yaml new file mode 100755 index 0000000..517cc3c --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/capabilities_restricted3.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostnamespaces0.yaml b/test/testdata/restricted/v1.31/fail/hostnamespaces0.yaml new file mode 100755 index 0000000..c1a7b7a --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostnamespaces0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostIPC: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostnamespaces1.yaml b/test/testdata/restricted/v1.31/fail/hostnamespaces1.yaml new file mode 100755 index 0000000..caa294e --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostnamespaces1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostnamespaces2.yaml b/test/testdata/restricted/v1.31/fail/hostnamespaces2.yaml new file mode 100755 index 0000000..3235089 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostnamespaces2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostnamespaces2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostPID: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostpathvolumes0.yaml b/test/testdata/restricted/v1.31/fail/hostpathvolumes0.yaml new file mode 100755 index 0000000..86745e6 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostpathvolumes0.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - emptyDir: {} + name: volume-emptydir + - hostPath: + path: /a + name: volume-hostpath diff --git a/test/testdata/restricted/v1.31/fail/hostpathvolumes1.yaml b/test/testdata/restricted/v1.31/fail/hostpathvolumes1.yaml new file mode 100755 index 0000000..bc7759c --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostpathvolumes1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpathvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /a + name: volume-hostpath-a + - hostPath: + path: /b + name: volume-hostpath-b diff --git a/test/testdata/restricted/v1.31/fail/hostports0.yaml b/test/testdata/restricted/v1.31/fail/hostports0.yaml new file mode 100755 index 0000000..9bf9055 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostports0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostports1.yaml b/test/testdata/restricted/v1.31/fail/hostports1.yaml new file mode 100755 index 0000000..ddecbf4 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostports1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/hostports2.yaml b/test/testdata/restricted/v1.31/fail/hostports2.yaml new file mode 100755 index 0000000..ed9f692 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/hostports2.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + hostPort: 12345 + - containerPort: 12347 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + hostPort: 12346 + - containerPort: 12348 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/privileged0.yaml b/test/testdata/restricted/v1.31/fail/privileged0.yaml new file mode 100755 index 0000000..7ad39f5 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/privileged0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/privileged1.yaml b/test/testdata/restricted/v1.31/fail/privileged1.yaml new file mode 100755 index 0000000..cb41dcb --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/privileged1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + capabilities: + drop: + - ALL + privileged: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/procmount0.yaml b/test/testdata/restricted/v1.31/fail/procmount0.yaml new file mode 100755 index 0000000..2579076 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/procmount0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/procmount1.yaml b/test/testdata/restricted/v1.31/fail/procmount1.yaml new file mode 100755 index 0000000..04e8612 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/procmount1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Unmasked + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes0.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes0.yaml new file mode 100755 index 0000000..5a95336 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gcePersistentDisk: + pdName: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes1.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes1.yaml new file mode 100755 index 0000000..153326f --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - awsElasticBlockStore: + volumeID: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes10.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes10.yaml new file mode 100755 index 0000000..f34afe6 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes10.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flocker: + datasetName: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes11.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes11.yaml new file mode 100755 index 0000000..384e06f --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes11.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - fc: + wwids: + - test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes12.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes12.yaml new file mode 100755 index 0000000..8757fbf --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes12.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureFile: + secretName: test + shareName: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes13.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes13.yaml new file mode 100755 index 0000000..9e2086d --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes13.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + vsphereVolume: + volumePath: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes14.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes14.yaml new file mode 100755 index 0000000..d8b9605 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes14.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + quobyte: + registry: localhost:1234 + volume: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes15.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes15.yaml new file mode 100755 index 0000000..f3462ab --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes15.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - azureDisk: + diskName: test + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes16.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes16.yaml new file mode 100755 index 0000000..d83daa6 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes16.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + portworxVolume: + fsType: ext4 + volumeID: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes17.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes17.yaml new file mode 100755 index 0000000..23f6b77 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes17.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + scaleIO: + gateway: localhost + secretRef: null + system: test + volumeName: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes18.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes18.yaml new file mode 100755 index 0000000..ca5d93f --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes18.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + storageos: + volumeName: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes19.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes19.yaml new file mode 100755 index 0000000..4ca4381 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes19.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - hostPath: + path: /dev/null + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes2.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes2.yaml new file mode 100755 index 0000000..9154458 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes3.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes3.yaml new file mode 100755 index 0000000..f1060bc --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes3.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + nfs: + path: /test + server: test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes4.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes4.yaml new file mode 100755 index 0000000..3a14474 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes4.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes5.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes5.yaml new file mode 100755 index 0000000..e64cbe9 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes5.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - glusterfs: + endpoints: test + path: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes6.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes6.yaml new file mode 100755 index 0000000..4d596c9 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes6.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume1 + rbd: + image: test + monitors: + - test diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes7.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes7.yaml new file mode 100755 index 0000000..c3887a3 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes7.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - flexVolume: + driver: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes8.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes8.yaml new file mode 100755 index 0000000..e11afbb --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes8.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cinder: + volumeID: test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/restrictedvolumes9.yaml b/test/testdata/restricted/v1.31/fail/restrictedvolumes9.yaml new file mode 100755 index 0000000..8159a48 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/restrictedvolumes9.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - cephfs: + monitors: + - test + name: volume1 diff --git a/test/testdata/restricted/v1.31/fail/runasnonroot0.yaml b/test/testdata/restricted/v1.31/fail/runasnonroot0.yaml new file mode 100755 index 0000000..f460f65 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasnonroot0.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasnonroot1.yaml b/test/testdata/restricted/v1.31/fail/runasnonroot1.yaml new file mode 100755 index 0000000..2854097 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasnonroot1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasnonroot2.yaml b/test/testdata/restricted/v1.31/fail/runasnonroot2.yaml new file mode 100755 index 0000000..067c797 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasnonroot2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasnonroot3.yaml b/test/testdata/restricted/v1.31/fail/runasnonroot3.yaml new file mode 100755 index 0000000..5459f29 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasnonroot3.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasuser0.yaml b/test/testdata/restricted/v1.31/fail/runasuser0.yaml new file mode 100755 index 0000000..5f7c9e0 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasuser0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 0 + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasuser1.yaml b/test/testdata/restricted/v1.31/fail/runasuser1.yaml new file mode 100755 index 0000000..ff62334 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasuser1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/runasuser2.yaml b/test/testdata/restricted/v1.31/fail/runasuser2.yaml new file mode 100755 index 0000000..26c7134 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/runasuser2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 0 + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_baseline0.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline0.yaml new file mode 100755 index 0000000..0b875ce --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_baseline1.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline1.yaml new file mode 100755 index 0000000..3e63c31 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_baseline2.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline2.yaml new file mode 100755 index 0000000..4cd9940 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_baseline2.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_baseline2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_restricted0.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted0.yaml new file mode 100755 index 0000000..64b5604 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted0.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_restricted1.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted1.yaml new file mode 100755 index 0000000..2ec3d48 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted1.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_restricted2.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted2.yaml new file mode 100755 index 0000000..c63c622 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted2.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_restricted3.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted3.yaml new file mode 100755 index 0000000..69c969f --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted3.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/fail/seccompprofile_restricted4.yaml b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted4.yaml new file mode 100755 index 0000000..b17bf76 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/seccompprofile_restricted4.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/fail/selinuxoptions0.yaml b/test/testdata/restricted/v1.31/fail/selinuxoptions0.yaml new file mode 100755 index 0000000..7135bb2 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/selinuxoptions0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/selinuxoptions1.yaml b/test/testdata/restricted/v1.31/fail/selinuxoptions1.yaml new file mode 100755 index 0000000..c99b8a5 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/selinuxoptions1.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/selinuxoptions2.yaml b/test/testdata/restricted/v1.31/fail/selinuxoptions2.yaml new file mode 100755 index 0000000..f2eafc2 --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/selinuxoptions2.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: somevalue + securityContext: + runAsNonRoot: true + seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/selinuxoptions3.yaml b/test/testdata/restricted/v1.31/fail/selinuxoptions3.yaml new file mode 100755 index 0000000..1da063e --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/selinuxoptions3.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions3 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/selinuxoptions4.yaml b/test/testdata/restricted/v1.31/fail/selinuxoptions4.yaml new file mode 100755 index 0000000..a4a38fb --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/selinuxoptions4.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions4 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seLinuxOptions: + role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/fail/sysctls0.yaml b/test/testdata/restricted/v1.31/fail/sysctls0.yaml new file mode 100755 index 0000000..841f73d --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/sysctls0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: othersysctl + value: other diff --git a/test/testdata/restricted/v1.31/fail/windowshostprocess0.yaml b/test/testdata/restricted/v1.31/fail/windowshostprocess0.yaml new file mode 100755 index 0000000..4262e6a --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/windowshostprocess0.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: + hostProcess: true diff --git a/test/testdata/restricted/v1.31/fail/windowshostprocess1.yaml b/test/testdata/restricted/v1.31/fail/windowshostprocess1.yaml new file mode 100755 index 0000000..ba1ce4a --- /dev/null +++ b/test/testdata/restricted/v1.31/fail/windowshostprocess1.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: windowshostprocess1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + hostNetwork: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + windowsOptions: + hostProcess: true + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + windowsOptions: {} diff --git a/test/testdata/restricted/v1.31/pass/apparmorprofile0.yaml b/test/testdata/restricted/v1.31/pass/apparmorprofile0.yaml new file mode 100755 index 0000000..53ebdaa --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/apparmorprofile0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.apparmor.security.beta.kubernetes.io/container1: localhost/foo + name: apparmorprofile0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/base.yaml b/test/testdata/restricted/v1.31/pass/base.yaml new file mode 100755 index 0000000..3b4f307 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/base.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/base_linux.yaml b/test/testdata/restricted/v1.31/pass/base_linux.yaml new file mode 100755 index 0000000..67563df --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/base_linux.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_linux +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + os: + name: linux + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/base_windows.yaml b/test/testdata/restricted/v1.31/pass/base_windows.yaml new file mode 100755 index 0000000..2bc48b4 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/base_windows.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: base_windows +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + os: + name: windows + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/pass/capabilities_restricted0.yaml b/test/testdata/restricted/v1.31/pass/capabilities_restricted0.yaml new file mode 100755 index 0000000..8a70cb3 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/capabilities_restricted0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: capabilities_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/hostports0.yaml b/test/testdata/restricted/v1.31/pass/hostports0.yaml new file mode 100755 index 0000000..e7f1153 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/hostports0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostports0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + ports: + - containerPort: 12345 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + ports: + - containerPort: 12346 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/privileged0.yaml b/test/testdata/restricted/v1.31/pass/privileged0.yaml new file mode 100755 index 0000000..8e3aafd --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/privileged0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: privileged0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/procmount0.yaml b/test/testdata/restricted/v1.31/pass/procmount0.yaml new file mode 100755 index 0000000..5db5a5c --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/procmount0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: procmount0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + hostUsers: false + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + procMount: Default + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/restrictedvolumes0.yaml b/test/testdata/restricted/v1.31/pass/restrictedvolumes0.yaml new file mode 100755 index 0000000..a117224 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/restrictedvolumes0.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + volumes: + - name: volume0 + - emptyDir: {} + name: volume1 + - name: volume2 + secret: + secretName: test + - name: volume3 + persistentVolumeClaim: + claimName: test + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume4 + - configMap: + name: test + name: volume5 + - name: volume6 + projected: + sources: [] diff --git a/test/testdata/restricted/v1.31/pass/runasnonroot0.yaml b/test/testdata/restricted/v1.31/pass/runasnonroot0.yaml new file mode 100755 index 0000000..414ac79 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/runasnonroot0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/runasnonroot1.yaml b/test/testdata/restricted/v1.31/pass/runasnonroot1.yaml new file mode 100755 index 0000000..549b013 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/runasnonroot1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasnonroot1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsNonRoot: true + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/runasuser0.yaml b/test/testdata/restricted/v1.31/pass/runasuser0.yaml new file mode 100755 index 0000000..ed7aff0 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/runasuser0.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: runasuser0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsUser: 1000 + securityContext: + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/seccompprofile_restricted0.yaml b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted0.yaml new file mode 100755 index 0000000..f904065 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/seccompprofile_restricted1.yaml b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted1.yaml new file mode 100755 index 0000000..5a60fd7 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted1.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/test/testdata/restricted/v1.31/pass/seccompprofile_restricted2.yaml b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted2.yaml new file mode 100755 index 0000000..39d68e3 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/seccompprofile_restricted2.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccompprofile_restricted2 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/test/testdata/restricted/v1.31/pass/selinuxoptions0.yaml b/test/testdata/restricted/v1.31/pass/selinuxoptions0.yaml new file mode 100755 index 0000000..a45080b --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/selinuxoptions0.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: {} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/selinuxoptions1.yaml b/test/testdata/restricted/v1.31/pass/selinuxoptions1.yaml new file mode 100755 index 0000000..0a83656 --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/selinuxoptions1.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Pod +metadata: + name: selinuxoptions1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + level: somevalue + type: container_init_t + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seLinuxOptions: + type: container_kvm_t + securityContext: + runAsNonRoot: true + seLinuxOptions: + type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/sysctls0.yaml b/test/testdata/restricted/v1.31/pass/sysctls0.yaml new file mode 100755 index 0000000..84224ff --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/sysctls0.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls0 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/test/testdata/restricted/v1.31/pass/sysctls1.yaml b/test/testdata/restricted/v1.31/pass/sysctls1.yaml new file mode 100755 index 0000000..0fa413a --- /dev/null +++ b/test/testdata/restricted/v1.31/pass/sysctls1.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sysctls1 +spec: + containers: + - image: registry.k8s.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + initContainers: + - image: registry.k8s.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + sysctls: + - name: kernel.shm_rmid_forced + value: "0" + - name: net.ipv4.ip_local_port_range + value: 1024 65535 + - name: net.ipv4.tcp_syncookies + value: "0" + - name: net.ipv4.ping_group_range + value: 1 0 + - name: net.ipv4.ip_unprivileged_port_start + value: "1024" + - name: net.ipv4.ip_local_reserved_ports + value: 1024-4999 + - name: net.ipv4.tcp_keepalive_time + value: "7200" + - name: net.ipv4.tcp_fin_timeout + value: "60" + - name: net.ipv4.tcp_keepalive_intvl + value: "75" + - name: net.ipv4.tcp_keepalive_probes + value: "9"