k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/plugin/pkg/admission/security/podsecurity/testdata/pod_baseline.yaml (about) 1 # this pod fixture is used for benchmarks and should be kept updated to pass the latest baseline policy 2 apiVersion: v1 3 kind: Pod 4 metadata: 5 annotations: 6 scheduler.alpha.kubernetes.io/critical-pod: "" 7 seccomp.security.alpha.kubernetes.io/pod: runtime/default 8 creationTimestamp: "2021-08-20T14:35:04Z" 9 generateName: kube-dns-76dbc85bd5- 10 labels: 11 k8s-app: kube-dns 12 pod-template-hash: 76dbc85bd5 13 managedFields: 14 - apiVersion: v1 15 fieldsType: FieldsV1 16 fieldsV1: 17 f:metadata: 18 f:annotations: 19 .: {} 20 f:scheduler.alpha.kubernetes.io/critical-pod: {} 21 f:seccomp.security.alpha.kubernetes.io/pod: {} 22 f:generateName: {} 23 f:labels: 24 .: {} 25 f:k8s-app: {} 26 f:pod-template-hash: {} 27 f:ownerReferences: 28 .: {} 29 k:{"uid":"901a2f14-52d5-468b-af25-6587b60f2887"}: 30 .: {} 31 f:apiVersion: {} 32 f:blockOwnerDeletion: {} 33 f:controller: {} 34 f:kind: {} 35 f:name: {} 36 f:uid: {} 37 f:spec: 38 f:affinity: 39 .: {} 40 f:podAntiAffinity: 41 .: {} 42 f:preferredDuringSchedulingIgnoredDuringExecution: {} 43 f:containers: 44 k:{"name":"dnsmasq"}: 45 .: {} 46 f:args: {} 47 f:image: image-name:tag-name 48 f:imagePullPolicy: {} 49 f:livenessProbe: 50 .: {} 51 f:failureThreshold: {} 52 f:httpGet: 53 .: {} 54 f:path: {} 55 f:port: {} 56 f:scheme: {} 57 f:initialDelaySeconds: {} 58 f:periodSeconds: {} 59 f:successThreshold: {} 60 f:timeoutSeconds: {} 61 f:name: {} 62 f:ports: 63 .: {} 64 k:{"containerPort":53,"protocol":"TCP"}: 65 .: {} 66 f:containerPort: {} 67 f:name: {} 68 f:protocol: {} 69 k:{"containerPort":53,"protocol":"UDP"}: 70 .: {} 71 f:containerPort: {} 72 f:name: {} 73 f:protocol: {} 74 f:resources: 75 .: {} 76 f:requests: 77 .: {} 78 f:cpu: {} 79 f:memory: {} 80 f:securityContext: 81 .: {} 82 f:capabilities: 83 .: {} 84 f:add: {} 85 f:drop: {} 86 f:terminationMessagePath: {} 87 f:terminationMessagePolicy: {} 88 f:volumeMounts: 89 .: {} 90 k:{"mountPath":"/etc/k8s/dns/dnsmasq-nanny"}: 91 .: {} 92 f:mountPath: {} 93 f:name: {} 94 k:{"name":"kubedns"}: 95 .: {} 96 f:args: {} 97 f:env: 98 .: {} 99 k:{"name":"PROMETHEUS_PORT"}: 100 .: {} 101 f:name: {} 102 f:value: {} 103 f:image: image-name:tag-name 104 f:imagePullPolicy: {} 105 f:livenessProbe: 106 .: {} 107 f:failureThreshold: {} 108 f:httpGet: 109 .: {} 110 f:path: {} 111 f:port: {} 112 f:scheme: {} 113 f:initialDelaySeconds: {} 114 f:periodSeconds: {} 115 f:successThreshold: {} 116 f:timeoutSeconds: {} 117 f:name: {} 118 f:ports: 119 .: {} 120 k:{"containerPort":10053,"protocol":"TCP"}: 121 .: {} 122 f:containerPort: {} 123 f:name: {} 124 f:protocol: {} 125 k:{"containerPort":10053,"protocol":"UDP"}: 126 .: {} 127 f:containerPort: {} 128 f:name: {} 129 f:protocol: {} 130 k:{"containerPort":10055,"protocol":"TCP"}: 131 .: {} 132 f:containerPort: {} 133 f:name: {} 134 f:protocol: {} 135 f:readinessProbe: 136 .: {} 137 f:failureThreshold: {} 138 f:httpGet: 139 .: {} 140 f:path: {} 141 f:port: {} 142 f:scheme: {} 143 f:initialDelaySeconds: {} 144 f:periodSeconds: {} 145 f:successThreshold: {} 146 f:timeoutSeconds: {} 147 f:resources: 148 .: {} 149 f:limits: 150 .: {} 151 f:memory: {} 152 f:requests: 153 .: {} 154 f:cpu: {} 155 f:memory: {} 156 f:securityContext: 157 .: {} 158 f:allowPrivilegeEscalation: {} 159 f:readOnlyRootFilesystem: {} 160 f:runAsGroup: {} 161 f:runAsUser: {} 162 f:terminationMessagePath: {} 163 f:terminationMessagePolicy: {} 164 f:volumeMounts: 165 .: {} 166 k:{"mountPath":"/kube-dns-config"}: 167 .: {} 168 f:mountPath: {} 169 f:name: {} 170 k:{"name":"prometheus-to-sd"}: 171 .: {} 172 f:command: {} 173 f:env: 174 .: {} 175 k:{"name":"POD_NAME"}: 176 .: {} 177 f:name: {} 178 f:valueFrom: 179 .: {} 180 f:fieldRef: 181 .: {} 182 f:apiVersion: {} 183 f:fieldPath: {} 184 k:{"name":"POD_NAMESPACE"}: 185 .: {} 186 f:name: {} 187 f:valueFrom: 188 .: {} 189 f:fieldRef: 190 .: {} 191 f:apiVersion: {} 192 f:fieldPath: {} 193 f:image: image-name:tag-name 194 f:imagePullPolicy: {} 195 f:name: {} 196 f:resources: {} 197 f:securityContext: 198 .: {} 199 f:allowPrivilegeEscalation: {} 200 f:readOnlyRootFilesystem: {} 201 f:runAsGroup: {} 202 f:runAsUser: {} 203 f:terminationMessagePath: {} 204 f:terminationMessagePolicy: {} 205 k:{"name":"sidecar"}: 206 .: {} 207 f:args: {} 208 f:image: image-name:tag-name 209 f:imagePullPolicy: {} 210 f:livenessProbe: 211 .: {} 212 f:failureThreshold: {} 213 f:httpGet: 214 .: {} 215 f:path: {} 216 f:port: {} 217 f:scheme: {} 218 f:initialDelaySeconds: {} 219 f:periodSeconds: {} 220 f:successThreshold: {} 221 f:timeoutSeconds: {} 222 f:name: {} 223 f:ports: 224 .: {} 225 k:{"containerPort":10054,"protocol":"TCP"}: 226 .: {} 227 f:containerPort: {} 228 f:name: {} 229 f:protocol: {} 230 f:resources: 231 .: {} 232 f:requests: 233 .: {} 234 f:cpu: {} 235 f:memory: {} 236 f:securityContext: 237 .: {} 238 f:allowPrivilegeEscalation: {} 239 f:readOnlyRootFilesystem: {} 240 f:runAsGroup: {} 241 f:runAsUser: {} 242 f:terminationMessagePath: {} 243 f:terminationMessagePolicy: {} 244 f:dnsPolicy: {} 245 f:enableServiceLinks: {} 246 f:nodeSelector: 247 .: {} 248 f:kubernetes.io/os: {} 249 f:priorityClassName: {} 250 f:restartPolicy: {} 251 f:schedulerName: {} 252 f:securityContext: 253 .: {} 254 f:fsGroup: {} 255 f:supplementalGroups: {} 256 f:serviceAccount: {} 257 f:serviceAccountName: {} 258 f:terminationGracePeriodSeconds: {} 259 f:tolerations: {} 260 f:volumes: 261 .: {} 262 k:{"name":"kube-dns-config"}: 263 .: {} 264 f:configMap: 265 .: {} 266 f:defaultMode: {} 267 f:name: {} 268 f:optional: {} 269 f:name: {} 270 manager: kube-controller-manager 271 operation: Update 272 time: "2021-08-20T14:35:04Z" 273 - apiVersion: v1 274 fieldsType: FieldsV1 275 fieldsV1: 276 f:status: 277 f:conditions: 278 .: {} 279 k:{"type":"PodScheduled"}: 280 .: {} 281 f:lastProbeTime: {} 282 f:lastTransitionTime: {} 283 f:message: {} 284 f:reason: {} 285 f:status: {} 286 f:type: {} 287 manager: kube-scheduler 288 operation: Update 289 time: "2021-08-20T14:35:04Z" 290 - apiVersion: v1 291 fieldsType: FieldsV1 292 fieldsV1: 293 f:status: 294 f:conditions: 295 k:{"type":"ContainersReady"}: 296 .: {} 297 f:lastProbeTime: {} 298 f:lastTransitionTime: {} 299 f:status: {} 300 f:type: {} 301 k:{"type":"Initialized"}: 302 .: {} 303 f:lastProbeTime: {} 304 f:lastTransitionTime: {} 305 f:status: {} 306 f:type: {} 307 k:{"type":"Ready"}: 308 .: {} 309 f:lastProbeTime: {} 310 f:lastTransitionTime: {} 311 f:status: {} 312 f:type: {} 313 f:containerStatuses: {} 314 f:hostIP: {} 315 f:phase: {} 316 f:podIP: {} 317 f:podIPs: 318 .: {} 319 k:{"ip":"10..10.10"}: 320 .: {} 321 f:ip: {} 322 f:startTime: {} 323 manager: kubelet 324 operation: Update 325 time: "2021-08-20T14:36:10Z" 326 name: kube-dns-76dbc85bd5-zl5tr 327 namespace: kube-system 328 ownerReferences: 329 - apiVersion: apps/v1 330 blockOwnerDeletion: true 331 controller: true 332 kind: ReplicaSet 333 name: kube-dns-76dbc85bd5 334 uid: 901a2f14-52d5-468b-af25-6587b60f2887 335 resourceVersion: "1391" 336 uid: e98f0f22-0937-4495-8211-d5633e50fb8d 337 spec: 338 affinity: 339 podAntiAffinity: 340 preferredDuringSchedulingIgnoredDuringExecution: 341 - podAffinityTerm: 342 labelSelector: 343 matchExpressions: 344 - key: k8s-app 345 operator: In 346 values: 347 - kube-dns 348 topologyKey: kubernetes.io/hostname 349 weight: 100 350 containers: 351 - args: 352 - --domain=cluster.local. 353 - --dns-port=10053 354 - --config-dir=/kube-dns-config 355 - --v=2 356 env: 357 - name: PROMETHEUS_PORT 358 value: "10055" 359 image: image-name:tag-name 360 imagePullPolicy: IfNotPresent 361 livenessProbe: 362 failureThreshold: 5 363 httpGet: 364 path: /healthcheck/kubedns 365 port: 10054 366 scheme: HTTP 367 initialDelaySeconds: 60 368 periodSeconds: 10 369 successThreshold: 1 370 timeoutSeconds: 5 371 name: kubedns 372 ports: 373 - containerPort: 10053 374 name: dns-local 375 protocol: UDP 376 - containerPort: 10053 377 name: dns-tcp-local 378 protocol: TCP 379 - containerPort: 10055 380 name: metrics 381 protocol: TCP 382 readinessProbe: 383 failureThreshold: 3 384 httpGet: 385 path: /readiness 386 port: 8081 387 scheme: HTTP 388 initialDelaySeconds: 3 389 periodSeconds: 10 390 successThreshold: 1 391 timeoutSeconds: 5 392 resources: 393 limits: 394 memory: 210Mi 395 requests: 396 cpu: 100m 397 memory: 70Mi 398 securityContext: 399 allowPrivilegeEscalation: false 400 readOnlyRootFilesystem: true 401 runAsGroup: 1001 402 capabilities: 403 add: 404 - NET_BIND_SERVICE 405 drop: 406 - ALL 407 terminationMessagePath: /dev/termination-log 408 terminationMessagePolicy: File 409 volumeMounts: 410 - mountPath: /kube-dns-config 411 name: kube-dns-config 412 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 413 name: kube-api-access-s8rz5 414 readOnly: true 415 - args: 416 - -v=2 417 - -logtostderr 418 - -configDir=/etc/k8s/dns/dnsmasq-nanny 419 - -restartDnsmasq=true 420 - -- 421 - -k 422 - --cache-size=1000 423 - --no-negcache 424 - --dns-forward-max=1500 425 - --log-facility=- 426 - --server=/cluster.local/127.0.0.1#10053 427 - --server=/in-addr.arpa/127.0.0.1#10053 428 - --server=/ip6.arpa/127.0.0.1#10053 429 image: image-name:tag-name 430 imagePullPolicy: IfNotPresent 431 livenessProbe: 432 failureThreshold: 5 433 httpGet: 434 path: /healthcheck/dnsmasq 435 port: 10054 436 scheme: HTTP 437 initialDelaySeconds: 60 438 periodSeconds: 10 439 successThreshold: 1 440 timeoutSeconds: 5 441 name: dnsmasq 442 ports: 443 - containerPort: 53 444 name: dns 445 protocol: UDP 446 - containerPort: 53 447 name: dns-tcp 448 protocol: TCP 449 resources: 450 requests: 451 cpu: 150m 452 memory: 20Mi 453 securityContext: 454 allowPrivilegeEscalation: false 455 runAsNonRoot: true 456 capabilities: 457 add: 458 - NET_BIND_SERVICE 459 drop: 460 - ALL 461 terminationMessagePath: /dev/termination-log 462 terminationMessagePolicy: File 463 volumeMounts: 464 - mountPath: /etc/k8s/dns/dnsmasq-nanny 465 name: kube-dns-config 466 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 467 name: kube-api-access-s8rz5 468 readOnly: true 469 - args: 470 - --v=2 471 - --logtostderr 472 - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,SRV 473 - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,SRV 474 image: image-name:tag-name 475 imagePullPolicy: IfNotPresent 476 livenessProbe: 477 failureThreshold: 5 478 httpGet: 479 path: /metrics 480 port: 10054 481 scheme: HTTP 482 initialDelaySeconds: 60 483 periodSeconds: 10 484 successThreshold: 1 485 timeoutSeconds: 5 486 name: sidecar 487 ports: 488 - containerPort: 10054 489 name: metrics 490 protocol: TCP 491 resources: 492 requests: 493 cpu: 10m 494 memory: 20Mi 495 securityContext: 496 allowPrivilegeEscalation: false 497 readOnlyRootFilesystem: true 498 runAsGroup: 1001 499 capabilities: 500 add: 501 - NET_BIND_SERVICE 502 drop: 503 - ALL 504 terminationMessagePath: /dev/termination-log 505 terminationMessagePolicy: File 506 volumeMounts: 507 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 508 name: kube-api-access-s8rz5 509 readOnly: true 510 - command: 511 - /monitor 512 - --stackdriver-prefix=container.googleapis.com/internal/addons 513 - --api-override=https://test-monitoring.sandbox.googleapis.com/ 514 - --pod-id=$(POD_NAME) 515 - --namespace-id=$(POD_NAMESPACE) 516 - --v=2 517 env: 518 - name: POD_NAME 519 valueFrom: 520 fieldRef: 521 apiVersion: v1 522 fieldPath: metadata.name 523 - name: POD_NAMESPACE 524 valueFrom: 525 fieldRef: 526 apiVersion: v1 527 fieldPath: metadata.namespace 528 image: image-name:tag-name 529 imagePullPolicy: IfNotPresent 530 name: prometheus-to-sd 531 resources: {} 532 securityContext: 533 allowPrivilegeEscalation: false 534 readOnlyRootFilesystem: true 535 runAsGroup: 1001 536 capabilities: 537 add: 538 - NET_BIND_SERVICE 539 drop: 540 - ALL 541 terminationMessagePath: /dev/termination-log 542 terminationMessagePolicy: File 543 volumeMounts: 544 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 545 name: kube-api-access-s8rz5 546 readOnly: true 547 dnsPolicy: Default 548 enableServiceLinks: true 549 nodeName: mynode 550 nodeSelector: 551 kubernetes.io/os: linux 552 preemptionPolicy: PreemptLowerPriority 553 priority: 2000000000 554 priorityClassName: system-cluster-critical 555 restartPolicy: Always 556 schedulerName: default-scheduler 557 securityContext: 558 fsGroup: 65534 559 seccompProfile: 560 type: RuntimeDefault 561 supplementalGroups: 562 - 65534 563 serviceAccount: kube-dns 564 serviceAccountName: kube-dns 565 terminationGracePeriodSeconds: 30 566 tolerations: 567 - key: CriticalAddonsOnly 568 operator: Exists 569 - effect: NoExecute 570 key: node.kubernetes.io/not-ready 571 operator: Exists 572 tolerationSeconds: 300 573 - effect: NoExecute 574 key: node.kubernetes.io/unreachable 575 operator: Exists 576 tolerationSeconds: 300 577 volumes: 578 - configMap: 579 defaultMode: 420 580 name: kube-dns 581 optional: true 582 name: kube-dns-config 583 - name: kube-api-access-s8rz5 584 projected: 585 defaultMode: 420 586 sources: 587 - serviceAccountToken: 588 expirationSeconds: 3607 589 path: token 590 - configMap: 591 items: 592 - key: ca.crt 593 path: ca.crt 594 name: kube-root-ca.crt 595 - downwardAPI: 596 items: 597 - fieldRef: 598 apiVersion: v1 599 fieldPath: metadata.namespace 600 path: namespace 601 status: 602 conditions: 603 - lastProbeTime: null 604 lastTransitionTime: "2021-08-20T14:35:31Z" 605 status: "True" 606 type: Initialized 607 - lastProbeTime: null 608 lastTransitionTime: "2021-08-20T14:36:10Z" 609 status: "True" 610 type: Ready 611 - lastProbeTime: null 612 lastTransitionTime: "2021-08-20T14:36:10Z" 613 status: "True" 614 type: ContainersReady 615 - lastProbeTime: null 616 lastTransitionTime: "2021-08-20T14:35:31Z" 617 status: "True" 618 type: PodScheduled 619 containerStatuses: 620 - containerID: containerd://f21ec303caca266fa4b81ebe6c210b5aa2b8ea6a262d8038db2c4f57db127187 621 image: image-name:tag-name 622 imageID: imageid@sha256:8e2a7eaa7e6b1ede58d6361d0058a391260a46f0290b7f0368b709494e9e36bf 623 lastState: {} 624 name: dnsmasq 625 ready: true 626 restartCount: 0 627 started: true 628 state: 629 running: 630 startedAt: "2021-08-20T14:36:03Z" 631 - containerID: containerd://bf3db3f330364ba2af3763a3c0b0bcd137f0556a73fffd0e0dbda61035b696a9 632 image: image-name:tag-name 633 imageID: imageid@sha256:50a1d17afe48a4ae15c9321d8c16d8f1302358c92971884722514c4ed7315ca3 634 lastState: {} 635 name: kubedns 636 ready: true 637 restartCount: 0 638 started: true 639 state: 640 running: 641 startedAt: "2021-08-20T14:35:52Z" 642 - containerID: containerd://733304e5217f2c9827736e1226188b11488fd476d0b9f647bd098fe9db89460e 643 image: image-name:tag-name 644 imageID: imageid@sha256:aca8ef8aa7fae83e1f8583ed78dd4d11f655b9f22a0a76bda5edce6d8965bdf2 645 lastState: {} 646 name: prometheus-to-sd 647 ready: true 648 restartCount: 0 649 started: true 650 state: 651 running: 652 startedAt: "2021-08-20T14:36:09Z" 653 - containerID: containerd://4639ada29f769008d3b21eef48cd061534dfd7875b42d5103179d4f0258667e9 654 image: image-name:tag-name 655 imageID: imageid@sha256:3bb5033aefb3e3dee259ab3d357d38d16eacf9cf2e1542ad577e3796410033ca 656 lastState: {} 657 name: sidecar 658 ready: true 659 restartCount: 0 660 started: true 661 state: 662 running: 663 startedAt: "2021-08-20T14:36:06Z" 664 hostIP: 10.128.0.48 665 phase: Running 666 podIP: 10..10.10 667 podIPs: 668 - ip: 10..10.10 669 qosClass: Burstable 670 startTime: "2021-08-20T14:35:31Z"