diff --git a/Makefile b/Makefile index fb670bb0a..bc7908f22 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ docker := docker #You can build with podman by doing: make docker=podman -KIND_VERSION ?= 0.17.0 +KIND_VERSION ?= 0.23.0 # note: k8s version pinned since KIND image availability lags k8s releases -KUBERNETES_VERSION ?= 1.26.0 +KUBERNETES_VERSION ?= 1.30.0 KUSTOMIZE_VERSION ?= 4.5.5 GATEKEEPER_VERSION ?= 3.16.3 BATS_VERSION ?= 1.8.2 diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml index 4be38f45d..74e034148 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/disallowed_ephemeral.yaml @@ -5,6 +5,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false ephemeralContainers: - name: nginx image: nginx diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml index c9b13ac71..cc272bafb 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_allowed.yaml @@ -1,10 +1,11 @@ apiVersion: v1 kind: Pod metadata: - name: nginx-proc-mount-disallowed + name: nginx-proc-mount-allowed labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx diff --git a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml index 403c7cb2a..f0c3b030a 100644 --- a/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml +++ b/artifacthub/library/pod-security-policy/proc-mount/1.1.0/samples/psp-proc-mount/example_disallowed.yaml @@ -5,6 +5,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml index 4be38f45d..74e034148 100644 --- a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml +++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml @@ -5,6 +5,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false ephemeralContainers: - name: nginx image: nginx diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml index c9b13ac71..cc272bafb 100644 --- a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml +++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_allowed.yaml @@ -1,10 +1,11 @@ apiVersion: v1 kind: Pod metadata: - name: nginx-proc-mount-disallowed + name: nginx-proc-mount-allowed labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx diff --git a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml index 403c7cb2a..f0c3b030a 100644 --- a/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml +++ b/library/pod-security-policy/proc-mount/samples/psp-proc-mount/example_disallowed.yaml @@ -5,6 +5,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx diff --git a/test/bats/test.bats b/test/bats/test.bats index 460c6bfab..f45441166 100755 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -107,6 +107,8 @@ setup() { for allowed in "$sample"/example_allowed*.yaml; do if [[ -e "$allowed" ]]; then # apply resource + echo "Applying ${allowed} with contents:" + cat ${allowed} run kubectl apply -f "$allowed" assert_match 'created' "$output" assert_success @@ -118,6 +120,8 @@ setup() { for disallowed in "$sample"/example_disallowed*.yaml; do if [[ -e "$disallowed" ]]; then # apply resource + echo "Applying ${disallowed} with contents:" + cat ${disallowed} run kubectl apply -f "$disallowed" assert_match_either 'denied the request' 'no matches for kind' "${output}" assert_failure diff --git a/test/kind_config.yaml b/test/kind_config.yaml index 059e7b5ac..f96567931 100644 --- a/test/kind_config.yaml +++ b/test/kind_config.yaml @@ -2,3 +2,4 @@ kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 featureGates: "ProcMountType": true + "UserNamespacesSupport": true diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index ff21745d2..17c26d23f 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -238,6 +238,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx @@ -260,10 +261,11 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper- apiVersion: v1 kind: Pod metadata: - name: nginx-proc-mount-disallowed + name: nginx-proc-mount-allowed labels: app: nginx-proc-mount spec: + hostUsers: false containers: - name: nginx image: nginx @@ -290,6 +292,7 @@ metadata: labels: app: nginx-proc-mount spec: + hostUsers: false ephemeralContainers: - name: nginx image: nginx