k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/plugin/pkg/admission/security/podsecurity/testdata/pod_restricted.yaml (about) 1 # this pod fixture is used for benchmarks and should be kept updated to pass the latest restricted policy 2 apiVersion: v1 3 kind: Pod 4 metadata: 5 annotations: 6 scheduler.alpha.kubernetes.io/critical-pod: "" 7 seccomp.security.alpha.kubernetes.io/pod: runtime/default 8 creationTimestamp: "2021-08-20T14:35:04Z" 9 generateName: kube-dns-76dbc85bd5- 10 labels: 11 k8s-app: kube-dns 12 pod-template-hash: 76dbc85bd5 13 managedFields: 14 - apiVersion: v1 15 fieldsType: FieldsV1 16 fieldsV1: 17 f:metadata: 18 f:annotations: 19 .: {} 20 f:scheduler.alpha.kubernetes.io/critical-pod: {} 21 f:seccomp.security.alpha.kubernetes.io/pod: {} 22 f:generateName: {} 23 f:labels: 24 .: {} 25 f:k8s-app: {} 26 f:pod-template-hash: {} 27 f:ownerReferences: 28 .: {} 29 k:{"uid":"901a2f14-52d5-468b-af25-6587b60f2887"}: 30 .: {} 31 f:apiVersion: {} 32 f:blockOwnerDeletion: {} 33 f:controller: {} 34 f:kind: {} 35 f:name: {} 36 f:uid: {} 37 f:spec: 38 f:affinity: 39 .: {} 40 f:podAntiAffinity: 41 .: {} 42 f:preferredDuringSchedulingIgnoredDuringExecution: {} 43 f:containers: 44 k:{"name":"dnsmasq"}: 45 .: {} 46 f:args: {} 47 f:image: image-name:tag-name 48 f:imagePullPolicy: {} 49 f:livenessProbe: 50 .: {} 51 f:failureThreshold: {} 52 f:httpGet: 53 .: {} 54 f:path: {} 55 f:port: {} 56 f:scheme: {} 57 f:initialDelaySeconds: {} 58 f:periodSeconds: {} 59 f:successThreshold: {} 60 f:timeoutSeconds: {} 61 f:name: {} 62 f:ports: 63 .: {} 64 k:{"containerPort":53,"protocol":"TCP"}: 65 .: {} 66 f:containerPort: {} 67 f:name: {} 68 f:protocol: {} 69 k:{"containerPort":53,"protocol":"UDP"}: 70 .: {} 71 f:containerPort: {} 72 f:name: {} 73 f:protocol: {} 74 f:resources: 75 .: {} 76 f:requests: 77 .: {} 78 f:cpu: {} 79 f:memory: {} 80 f:securityContext: 81 .: {} 82 f:capabilities: 83 .: {} 84 f:add: {} 85 f:drop: {} 86 f:terminationMessagePath: {} 87 f:terminationMessagePolicy: {} 88 f:volumeMounts: 89 .: {} 90 k:{"mountPath":"/etc/k8s/dns/dnsmasq-nanny"}: 91 .: {} 92 f:mountPath: {} 93 f:name: {} 94 k:{"name":"kubedns"}: 95 .: {} 96 f:args: {} 97 f:env: 98 .: {} 99 k:{"name":"PROMETHEUS_PORT"}: 100 .: {} 101 f:name: {} 102 f:value: {} 103 f:image: image-name:tag-name 104 f:imagePullPolicy: {} 105 f:livenessProbe: 106 .: {} 107 f:failureThreshold: {} 108 f:httpGet: 109 .: {} 110 f:path: {} 111 f:port: {} 112 f:scheme: {} 113 f:initialDelaySeconds: {} 114 f:periodSeconds: {} 115 f:successThreshold: {} 116 f:timeoutSeconds: {} 117 f:name: {} 118 f:ports: 119 .: {} 120 k:{"containerPort":10053,"protocol":"TCP"}: 121 .: {} 122 f:containerPort: {} 123 f:name: {} 124 f:protocol: {} 125 k:{"containerPort":10053,"protocol":"UDP"}: 126 .: {} 127 f:containerPort: {} 128 f:name: {} 129 f:protocol: {} 130 k:{"containerPort":10055,"protocol":"TCP"}: 131 .: {} 132 f:containerPort: {} 133 f:name: {} 134 f:protocol: {} 135 f:readinessProbe: 136 .: {} 137 f:failureThreshold: {} 138 f:httpGet: 139 .: {} 140 f:path: {} 141 f:port: {} 142 f:scheme: {} 143 f:initialDelaySeconds: {} 144 f:periodSeconds: {} 145 f:successThreshold: {} 146 f:timeoutSeconds: {} 147 f:resources: 148 .: {} 149 f:limits: 150 .: {} 151 f:memory: {} 152 f:requests: 153 .: {} 154 f:cpu: {} 155 f:memory: {} 156 f:securityContext: 157 .: {} 158 f:allowPrivilegeEscalation: {} 159 f:readOnlyRootFilesystem: {} 160 f:runAsGroup: {} 161 f:runAsUser: {} 162 f:terminationMessagePath: {} 163 f:terminationMessagePolicy: {} 164 f:volumeMounts: 165 .: {} 166 k:{"mountPath":"/kube-dns-config"}: 167 .: {} 168 f:mountPath: {} 169 f:name: {} 170 k:{"name":"prometheus-to-sd"}: 171 .: {} 172 f:command: {} 173 f:env: 174 .: {} 175 k:{"name":"POD_NAME"}: 176 .: {} 177 f:name: {} 178 f:valueFrom: 179 .: {} 180 f:fieldRef: 181 .: {} 182 f:apiVersion: {} 183 f:fieldPath: {} 184 k:{"name":"POD_NAMESPACE"}: 185 .: {} 186 f:name: {} 187 f:valueFrom: 188 .: {} 189 f:fieldRef: 190 .: {} 191 f:apiVersion: {} 192 f:fieldPath: {} 193 f:image: image-name:tag-name 194 f:imagePullPolicy: {} 195 f:name: {} 196 f:resources: {} 197 f:securityContext: 198 .: {} 199 f:allowPrivilegeEscalation: {} 200 f:readOnlyRootFilesystem: {} 201 f:runAsGroup: {} 202 f:runAsUser: {} 203 f:terminationMessagePath: {} 204 f:terminationMessagePolicy: {} 205 k:{"name":"sidecar"}: 206 .: {} 207 f:args: {} 208 f:image: image-name:tag-name 209 f:imagePullPolicy: {} 210 f:livenessProbe: 211 .: {} 212 f:failureThreshold: {} 213 f:httpGet: 214 .: {} 215 f:path: {} 216 f:port: {} 217 f:scheme: {} 218 f:initialDelaySeconds: {} 219 f:periodSeconds: {} 220 f:successThreshold: {} 221 f:timeoutSeconds: {} 222 f:name: {} 223 f:ports: 224 .: {} 225 k:{"containerPort":10054,"protocol":"TCP"}: 226 .: {} 227 f:containerPort: {} 228 f:name: {} 229 f:protocol: {} 230 f:resources: 231 .: {} 232 f:requests: 233 .: {} 234 f:cpu: {} 235 f:memory: {} 236 f:securityContext: 237 .: {} 238 f:allowPrivilegeEscalation: {} 239 f:readOnlyRootFilesystem: {} 240 f:runAsGroup: {} 241 f:runAsUser: {} 242 f:terminationMessagePath: {} 243 f:terminationMessagePolicy: {} 244 f:dnsPolicy: {} 245 f:enableServiceLinks: {} 246 f:nodeSelector: 247 .: {} 248 f:kubernetes.io/os: {} 249 f:priorityClassName: {} 250 f:restartPolicy: {} 251 f:schedulerName: {} 252 f:securityContext: 253 .: {} 254 f:fsGroup: {} 255 f:supplementalGroups: {} 256 f:serviceAccount: {} 257 f:serviceAccountName: {} 258 f:terminationGracePeriodSeconds: {} 259 f:tolerations: {} 260 f:volumes: 261 .: {} 262 k:{"name":"kube-dns-config"}: 263 .: {} 264 f:configMap: 265 .: {} 266 f:defaultMode: {} 267 f:name: {} 268 f:optional: {} 269 f:name: {} 270 manager: kube-controller-manager 271 operation: Update 272 time: "2021-08-20T14:35:04Z" 273 - apiVersion: v1 274 fieldsType: FieldsV1 275 fieldsV1: 276 f:status: 277 f:conditions: 278 .: {} 279 k:{"type":"PodScheduled"}: 280 .: {} 281 f:lastProbeTime: {} 282 f:lastTransitionTime: {} 283 f:message: {} 284 f:reason: {} 285 f:status: {} 286 f:type: {} 287 manager: kube-scheduler 288 operation: Update 289 time: "2021-08-20T14:35:04Z" 290 - apiVersion: v1 291 fieldsType: FieldsV1 292 fieldsV1: 293 f:status: 294 f:conditions: 295 k:{"type":"ContainersReady"}: 296 .: {} 297 f:lastProbeTime: {} 298 f:lastTransitionTime: {} 299 f:status: {} 300 f:type: {} 301 k:{"type":"Initialized"}: 302 .: {} 303 f:lastProbeTime: {} 304 f:lastTransitionTime: {} 305 f:status: {} 306 f:type: {} 307 k:{"type":"Ready"}: 308 .: {} 309 f:lastProbeTime: {} 310 f:lastTransitionTime: {} 311 f:status: {} 312 f:type: {} 313 f:containerStatuses: {} 314 f:hostIP: {} 315 f:phase: {} 316 f:podIP: {} 317 f:podIPs: 318 .: {} 319 k:{"ip":"10..10.10"}: 320 .: {} 321 f:ip: {} 322 f:startTime: {} 323 manager: kubelet 324 operation: Update 325 time: "2021-08-20T14:36:10Z" 326 name: kube-dns-76dbc85bd5-zl5tr 327 namespace: kube-system 328 ownerReferences: 329 - apiVersion: apps/v1 330 blockOwnerDeletion: true 331 controller: true 332 kind: ReplicaSet 333 name: kube-dns-76dbc85bd5 334 uid: 901a2f14-52d5-468b-af25-6587b60f2887 335 resourceVersion: "1391" 336 uid: e98f0f22-0937-4495-8211-d5633e50fb8d 337 spec: 338 affinity: 339 podAntiAffinity: 340 preferredDuringSchedulingIgnoredDuringExecution: 341 - podAffinityTerm: 342 labelSelector: 343 matchExpressions: 344 - key: k8s-app 345 operator: In 346 values: 347 - kube-dns 348 topologyKey: kubernetes.io/hostname 349 weight: 100 350 containers: 351 - args: 352 - --domain=cluster.local. 353 - --dns-port=10053 354 - --config-dir=/kube-dns-config 355 - --v=2 356 env: 357 - name: PROMETHEUS_PORT 358 value: "10055" 359 image: image-name:tag-name 360 imagePullPolicy: IfNotPresent 361 livenessProbe: 362 failureThreshold: 5 363 httpGet: 364 path: /healthcheck/kubedns 365 port: 10054 366 scheme: HTTP 367 initialDelaySeconds: 60 368 periodSeconds: 10 369 successThreshold: 1 370 timeoutSeconds: 5 371 name: kubedns 372 ports: 373 - containerPort: 10053 374 name: dns-local 375 protocol: UDP 376 - containerPort: 10053 377 name: dns-tcp-local 378 protocol: TCP 379 - containerPort: 10055 380 name: metrics 381 protocol: TCP 382 readinessProbe: 383 failureThreshold: 3 384 httpGet: 385 path: /readiness 386 port: 8081 387 scheme: HTTP 388 initialDelaySeconds: 3 389 periodSeconds: 10 390 successThreshold: 1 391 timeoutSeconds: 5 392 resources: 393 limits: 394 memory: 210Mi 395 requests: 396 cpu: 100m 397 memory: 70Mi 398 securityContext: 399 allowPrivilegeEscalation: false 400 readOnlyRootFilesystem: true 401 runAsGroup: 1001 402 runAsUser: 1001 403 runAsNonRoot: true 404 capabilities: 405 add: 406 - NET_BIND_SERVICE 407 drop: 408 - ALL 409 terminationMessagePath: /dev/termination-log 410 terminationMessagePolicy: File 411 volumeMounts: 412 - mountPath: /kube-dns-config 413 name: kube-dns-config 414 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 415 name: kube-api-access-s8rz5 416 readOnly: true 417 - args: 418 - -v=2 419 - -logtostderr 420 - -configDir=/etc/k8s/dns/dnsmasq-nanny 421 - -restartDnsmasq=true 422 - -- 423 - -k 424 - --cache-size=1000 425 - --no-negcache 426 - --dns-forward-max=1500 427 - --log-facility=- 428 - --server=/cluster.local/127.0.0.1#10053 429 - --server=/in-addr.arpa/127.0.0.1#10053 430 - --server=/ip6.arpa/127.0.0.1#10053 431 image: image-name:tag-name 432 imagePullPolicy: IfNotPresent 433 livenessProbe: 434 failureThreshold: 5 435 httpGet: 436 path: /healthcheck/dnsmasq 437 port: 10054 438 scheme: HTTP 439 initialDelaySeconds: 60 440 periodSeconds: 10 441 successThreshold: 1 442 timeoutSeconds: 5 443 name: dnsmasq 444 ports: 445 - containerPort: 53 446 name: dns 447 protocol: UDP 448 - containerPort: 53 449 name: dns-tcp 450 protocol: TCP 451 resources: 452 requests: 453 cpu: 150m 454 memory: 20Mi 455 securityContext: 456 allowPrivilegeEscalation: false 457 runAsNonRoot: true 458 capabilities: 459 add: 460 - NET_BIND_SERVICE 461 drop: 462 - ALL 463 terminationMessagePath: /dev/termination-log 464 terminationMessagePolicy: File 465 volumeMounts: 466 - mountPath: /etc/k8s/dns/dnsmasq-nanny 467 name: kube-dns-config 468 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 469 name: kube-api-access-s8rz5 470 readOnly: true 471 - args: 472 - --v=2 473 - --logtostderr 474 - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,SRV 475 - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,SRV 476 image: image-name:tag-name 477 imagePullPolicy: IfNotPresent 478 livenessProbe: 479 failureThreshold: 5 480 httpGet: 481 path: /metrics 482 port: 10054 483 scheme: HTTP 484 initialDelaySeconds: 60 485 periodSeconds: 10 486 successThreshold: 1 487 timeoutSeconds: 5 488 name: sidecar 489 ports: 490 - containerPort: 10054 491 name: metrics 492 protocol: TCP 493 resources: 494 requests: 495 cpu: 10m 496 memory: 20Mi 497 securityContext: 498 allowPrivilegeEscalation: false 499 readOnlyRootFilesystem: true 500 runAsGroup: 1001 501 runAsUser: 1001 502 runAsNonRoot: true 503 capabilities: 504 add: 505 - NET_BIND_SERVICE 506 drop: 507 - ALL 508 terminationMessagePath: /dev/termination-log 509 terminationMessagePolicy: File 510 volumeMounts: 511 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 512 name: kube-api-access-s8rz5 513 readOnly: true 514 - command: 515 - /monitor 516 - --stackdriver-prefix=container.googleapis.com/internal/addons 517 - --api-override=https://test-monitoring.sandbox.googleapis.com/ 518 - --pod-id=$(POD_NAME) 519 - --namespace-id=$(POD_NAMESPACE) 520 - --v=2 521 env: 522 - name: POD_NAME 523 valueFrom: 524 fieldRef: 525 apiVersion: v1 526 fieldPath: metadata.name 527 - name: POD_NAMESPACE 528 valueFrom: 529 fieldRef: 530 apiVersion: v1 531 fieldPath: metadata.namespace 532 image: image-name:tag-name 533 imagePullPolicy: IfNotPresent 534 name: prometheus-to-sd 535 resources: {} 536 securityContext: 537 allowPrivilegeEscalation: false 538 readOnlyRootFilesystem: true 539 runAsGroup: 1001 540 runAsUser: 1001 541 runAsNonRoot: true 542 capabilities: 543 add: 544 - NET_BIND_SERVICE 545 drop: 546 - ALL 547 terminationMessagePath: /dev/termination-log 548 terminationMessagePolicy: File 549 volumeMounts: 550 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount 551 name: kube-api-access-s8rz5 552 readOnly: true 553 dnsPolicy: Default 554 enableServiceLinks: true 555 nodeName: mynode 556 nodeSelector: 557 kubernetes.io/os: linux 558 preemptionPolicy: PreemptLowerPriority 559 priority: 2000000000 560 priorityClassName: system-cluster-critical 561 restartPolicy: Always 562 schedulerName: default-scheduler 563 securityContext: 564 fsGroup: 65534 565 seccompProfile: 566 type: RuntimeDefault 567 supplementalGroups: 568 - 65534 569 serviceAccount: kube-dns 570 serviceAccountName: kube-dns 571 terminationGracePeriodSeconds: 30 572 tolerations: 573 - key: CriticalAddonsOnly 574 operator: Exists 575 - effect: NoExecute 576 key: node.kubernetes.io/not-ready 577 operator: Exists 578 tolerationSeconds: 300 579 - effect: NoExecute 580 key: node.kubernetes.io/unreachable 581 operator: Exists 582 tolerationSeconds: 300 583 volumes: 584 - configMap: 585 defaultMode: 420 586 name: kube-dns 587 optional: true 588 name: kube-dns-config 589 - name: kube-api-access-s8rz5 590 projected: 591 defaultMode: 420 592 sources: 593 - serviceAccountToken: 594 expirationSeconds: 3607 595 path: token 596 - configMap: 597 items: 598 - key: ca.crt 599 path: ca.crt 600 name: kube-root-ca.crt 601 - downwardAPI: 602 items: 603 - fieldRef: 604 apiVersion: v1 605 fieldPath: metadata.namespace 606 path: namespace 607 status: 608 conditions: 609 - lastProbeTime: null 610 lastTransitionTime: "2021-08-20T14:35:31Z" 611 status: "True" 612 type: Initialized 613 - lastProbeTime: null 614 lastTransitionTime: "2021-08-20T14:36:10Z" 615 status: "True" 616 type: Ready 617 - lastProbeTime: null 618 lastTransitionTime: "2021-08-20T14:36:10Z" 619 status: "True" 620 type: ContainersReady 621 - lastProbeTime: null 622 lastTransitionTime: "2021-08-20T14:35:31Z" 623 status: "True" 624 type: PodScheduled 625 containerStatuses: 626 - containerID: containerd://f21ec303caca266fa4b81ebe6c210b5aa2b8ea6a262d8038db2c4f57db127187 627 image: image-name:tag-name 628 imageID: imageid@sha256:8e2a7eaa7e6b1ede58d6361d0058a391260a46f0290b7f0368b709494e9e36bf 629 lastState: {} 630 name: dnsmasq 631 ready: true 632 restartCount: 0 633 started: true 634 state: 635 running: 636 startedAt: "2021-08-20T14:36:03Z" 637 - containerID: containerd://bf3db3f330364ba2af3763a3c0b0bcd137f0556a73fffd0e0dbda61035b696a9 638 image: image-name:tag-name 639 imageID: imageid@sha256:50a1d17afe48a4ae15c9321d8c16d8f1302358c92971884722514c4ed7315ca3 640 lastState: {} 641 name: kubedns 642 ready: true 643 restartCount: 0 644 started: true 645 state: 646 running: 647 startedAt: "2021-08-20T14:35:52Z" 648 - containerID: containerd://733304e5217f2c9827736e1226188b11488fd476d0b9f647bd098fe9db89460e 649 image: image-name:tag-name 650 imageID: imageid@sha256:aca8ef8aa7fae83e1f8583ed78dd4d11f655b9f22a0a76bda5edce6d8965bdf2 651 lastState: {} 652 name: prometheus-to-sd 653 ready: true 654 restartCount: 0 655 started: true 656 state: 657 running: 658 startedAt: "2021-08-20T14:36:09Z" 659 - containerID: containerd://4639ada29f769008d3b21eef48cd061534dfd7875b42d5103179d4f0258667e9 660 image: image-name:tag-name 661 imageID: imageid@sha256:3bb5033aefb3e3dee259ab3d357d38d16eacf9cf2e1542ad577e3796410033ca 662 lastState: {} 663 name: sidecar 664 ready: true 665 restartCount: 0 666 started: true 667 state: 668 running: 669 startedAt: "2021-08-20T14:36:06Z" 670 hostIP: 10.128.0.48 671 phase: Running 672 podIP: 10..10.10 673 podIPs: 674 - ip: 10..10.10 675 qosClass: Burstable 676 startTime: "2021-08-20T14:35:31Z"