diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 03bedbc0e..d240b81a6 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -50,7 +50,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -60,7 +60,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -73,6 +73,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 104d2718a..92d358bc1 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -24,4 +24,4 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 + uses: actions/dependency-review-action@9f45b2463b475767b61721ccfef113fef513e6aa # v3.1.1 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index a5f66ed3c..53fec756d 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 + uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5 with: sarif_file: results.sarif diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index c59c40bd8..e515d5184 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -65,7 +65,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - gatekeeper: [ "release-3.13", "release-3.12" ] + gatekeeper: [ "release-3.13", "release-3.14" ] name: "Integration test on Gatekeeper ${{ matrix.gatekeeper }}" steps: - name: Harden Runner diff --git a/scripts/website/generate.go b/scripts/website/generate.go index 62496ed03..fd0d6b9e9 100644 --- a/scripts/website/generate.go +++ b/scripts/website/generate.go @@ -10,6 +10,7 @@ import ( "strings" "gopkg.in/yaml.v3" + "k8s.io/utils/strings/slices" ) const ( @@ -28,6 +29,9 @@ const ( mutationPattern = `(\s*)(type:\s+'category',\s+label:\s+'Mutation',\s+collapsed:\s+true,\s+items:\s*\[\s)(\s*)([^\]]*,)` ) +// Skip including examples for the following Kinds. +var skipExampleKinds = []string{"AdmissionReview"} + // Suite ... // ToDo (nilekh): Get this struct from the Gatekeeper repo. type Suite struct { @@ -140,7 +144,20 @@ func main() { fmt.Println("error while reading ", testCase.Object) panic(err) } - examples += fmt.Sprintf("
\n%s\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n
\n", testCase.Name, exampleContent, exampleRawURL) + + exampleResource := make(map[string]interface{}) + err = yaml.Unmarshal(exampleContent, &exampleResource) + if err != nil { + fmt.Printf("error while unmarshaling: %v", exampleRawURL) + panic(err) + } + + if exampleKind, ok := exampleResource["kind"].(string); !ok { + fmt.Printf("error while parsing kind: %v", exampleRawURL) + panic(err) + } else if !slices.Contains(skipExampleKinds, exampleKind) { + examples += fmt.Sprintf("
\n%s\n\n```yaml\n%s\n```\n\nUsage\n\n```shell\nkubectl apply -f %s\n```\n\n
\n", testCase.Name, exampleContent, exampleRawURL) + } } allExamples += fmt.Sprintf("
\n%s
\n\n%s\n%s\n\n
", test.Name, constraintExample, examples) diff --git a/website/docs/validation/allow-privilege-escalation.md b/website/docs/validation/allow-privilege-escalation.md index 765425505..880f4fee3 100644 --- a/website/docs/validation/allow-privilege-escalation.md +++ b/website/docs/validation/allow-privilege-escalation.md @@ -222,37 +222,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-privilege-escalation-disallowed - labels: - app: nginx-privilege-escalation - spec: - containers: - - name: nginx - image: nginx - securityContext: - allowPrivilegeEscalation: true - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/allow-privilege-escalation/samples/psp-allow-privilege-escalation-container/update.yaml -``` -
diff --git a/website/docs/validation/automount-serviceaccount-token.md b/website/docs/validation/automount-serviceaccount-token.md index 9876ba1aa..a8a7d03db 100644 --- a/website/docs/validation/automount-serviceaccount-token.md +++ b/website/docs/validation/automount-serviceaccount-token.md @@ -161,36 +161,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/example_disallowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-automountserviceaccounttoken-update - labels: - app: nginx-automountserviceaccounttoken - spec: - automountServiceAccountToken: true - containers: - - name: nginx - image: nginx - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/automount-serviceaccount-token/samples/automount-serviceaccount-token/update.yaml -``` -
diff --git a/website/docs/validation/capabilities.md b/website/docs/validation/capabilities.md index bb6d86f4d..33a9430da 100644 --- a/website/docs/validation/capabilities.md +++ b/website/docs/validation/capabilities.md @@ -317,46 +317,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: opa-disallowed - labels: - owner: me.agilebank.demo - spec: - containers: - - name: opa - image: openpolicyagent/opa:0.9.2 - args: - - "run" - - "--server" - - "--addr=localhost:8080" - securityContext: - capabilities: - add: ["disallowedcapability"] - resources: - limits: - cpu: "100m" - memory: "30Mi" - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/capabilities/samples/capabilities-demo/update.yaml -``` -
diff --git a/website/docs/validation/ephemeralstoragelimit.md b/website/docs/validation/ephemeralstoragelimit.md index 83e219488..c44abbbe6 100644 --- a/website/docs/validation/ephemeralstoragelimit.md +++ b/website/docs/validation/ephemeralstoragelimit.md @@ -471,44 +471,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/example_disallowed_ephemeral_storage_limit_1Pi-initContainer.yaml ``` - -
-ephemeral-storage-limit-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: opa-allowed - labels: - owner: me.agilebank.demo - spec: - containers: - - name: opa - image: openpolicyagent/opa:0.9.2 - args: - - "run" - - "--server" - - "--addr=localhost:8080" - resources: - limits: - cpu: "100m" - memory: "1Gi" - ephemeral-storage: "1Pi" - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/ephemeralstoragelimit/samples/container-must-have-ephemeral-storage-limit/update.yaml -``` -
diff --git a/website/docs/validation/flexvolume-drivers.md b/website/docs/validation/flexvolume-drivers.md index 04d28cec3..423aa049f 100644 --- a/website/docs/validation/flexvolume-drivers.md +++ b/website/docs/validation/flexvolume-drivers.md @@ -184,43 +184,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/example_disallowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-flexvolume-driver-disallowed - labels: - app: nginx-flexvolume-driver - spec: - containers: - - name: nginx - image: nginx - volumeMounts: - - mountPath: /test - name: test-volume - readOnly: true - volumes: - - name: test-volume - flexVolume: - driver: "example/testdriver" #"example/lvm" - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/flexvolume-drivers/samples/psp-flexvolume-drivers/update.yaml -``` -
diff --git a/website/docs/validation/forbidden-sysctls.md b/website/docs/validation/forbidden-sysctls.md index 1b5b4a27c..0891bc036 100644 --- a/website/docs/validation/forbidden-sysctls.md +++ b/website/docs/validation/forbidden-sysctls.md @@ -208,41 +208,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/example_allowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-forbidden-sysctls-disallowed - labels: - app: nginx-forbidden-sysctls - spec: - containers: - - name: nginx - image: nginx - securityContext: - sysctls: - - name: kernel.msgmax - value: "65536" - - name: net.core.somaxconn - value: "1024" - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/forbidden-sysctls/samples/psp-forbidden-sysctls/update.yaml -``` -
diff --git a/website/docs/validation/fsgroup.md b/website/docs/validation/fsgroup.md index 6a35e43c0..cc96a5599 100644 --- a/website/docs/validation/fsgroup.md +++ b/website/docs/validation/fsgroup.md @@ -216,42 +216,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/example_allowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: fsgroup-disallowed - spec: - securityContext: - fsGroup: 2000 # directory will have group ID 2000 - volumes: - - name: fsgroup-demo-vol - emptyDir: {} - containers: - - name: fsgroup-demo - image: busybox - command: [ "sh", "-c", "sleep 1h" ] - volumeMounts: - - name: fsgroup-demo-vol - mountPath: /data/demo - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/fsgroup/samples/psp-fsgroup/update.yaml -``` -
diff --git a/website/docs/validation/host-filesystem.md b/website/docs/validation/host-filesystem.md index cd7430a09..e709f76e8 100644 --- a/website/docs/validation/host-filesystem.md +++ b/website/docs/validation/host-filesystem.md @@ -292,43 +292,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-host-filesystem - labels: - app: nginx-host-filesystem-disallowed - spec: - containers: - - name: nginx - image: nginx - volumeMounts: - - mountPath: /cache - name: cache-volume - readOnly: true - volumes: - - name: cache-volume - hostPath: - path: /tmp # directory location on host - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-filesystem/samples/psp-host-filesystem/update.yaml -``` -
diff --git a/website/docs/validation/host-namespaces.md b/website/docs/validation/host-namespaces.md index 0c433062e..26c35ce8c 100644 --- a/website/docs/validation/host-namespaces.md +++ b/website/docs/validation/host-namespaces.md @@ -150,37 +150,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/example_disallowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-host-namespace-disallowed - labels: - app: nginx-host-namespace - spec: - hostPID: true - hostIPC: true - containers: - - name: nginx - image: nginx - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-namespaces/samples/psp-host-namespace/update.yaml -``` -
diff --git a/website/docs/validation/host-network-ports.md b/website/docs/validation/host-network-ports.md index 373d1ab3f..1debe644c 100644 --- a/website/docs/validation/host-network-ports.md +++ b/website/docs/validation/host-network-ports.md @@ -250,39 +250,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-host-networking-ports-disallowed - labels: - app: nginx-host-networking-ports - spec: - hostNetwork: true - containers: - - name: nginx - image: nginx - ports: - - containerPort: 9001 - hostPort: 9001 - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/host-network-ports/samples/psp-host-network-ports/update.yaml -``` -
diff --git a/website/docs/validation/privileged-containers.md b/website/docs/validation/privileged-containers.md index ef596bbde..fe56c7d8b 100644 --- a/website/docs/validation/privileged-containers.md +++ b/website/docs/validation/privileged-containers.md @@ -215,37 +215,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-privileged-disallowed - labels: - app: nginx-privileged - spec: - containers: - - name: nginx - image: nginx - securityContext: - privileged: true - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/privileged-containers/samples/psp-privileged-container/update.yaml -``` -
diff --git a/website/docs/validation/proc-mount.md b/website/docs/validation/proc-mount.md index e792ff25b..2fd4cf590 100644 --- a/website/docs/validation/proc-mount.md +++ b/website/docs/validation/proc-mount.md @@ -262,37 +262,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-proc-mount-disallowed - labels: - app: nginx-proc-mount - spec: - containers: - - name: nginx - image: nginx - securityContext: - procMount: Unmasked #Default - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/proc-mount/samples/psp-proc-mount/update.yaml -``` -
diff --git a/website/docs/validation/read-only-root-filesystem.md b/website/docs/validation/read-only-root-filesystem.md index cefd32931..f87b6d817 100644 --- a/website/docs/validation/read-only-root-filesystem.md +++ b/website/docs/validation/read-only-root-filesystem.md @@ -225,37 +225,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-readonlyrootfilesystem-disallowed - labels: - app: nginx-readonlyrootfilesystem - spec: - containers: - - name: nginx - image: nginx - securityContext: - readOnlyRootFilesystem: false - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/read-only-root-filesystem/samples/psp-readonlyrootfilesystem/update.yaml -``` -
diff --git a/website/docs/validation/requiredprobes.md b/website/docs/validation/requiredprobes.md index 4561c24f7..d9c6ea4cc 100644 --- a/website/docs/validation/requiredprobes.md +++ b/website/docs/validation/requiredprobes.md @@ -255,55 +255,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/example_disallowed2.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: test-pod1 - spec: - containers: - - name: nginx-1 - image: nginx:1.7.9 - ports: - - containerPort: 80 - livenessProbe: - # tcpSocket: - # port: 80 - # initialDelaySeconds: 5 - # periodSeconds: 10 - volumeMounts: - - mountPath: /tmp/cache - name: cache-volume - - name: tomcat - image: tomcat - ports: - - containerPort: 8080 - readinessProbe: - tcpSocket: - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - volumes: - - name: cache-volume - emptyDir: {} - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/general/requiredprobes/samples/must-have-probes/update.yaml -``` -
diff --git a/website/docs/validation/selinux.md b/website/docs/validation/selinux.md index f44f5588a..3c33766b5 100644 --- a/website/docs/validation/selinux.md +++ b/website/docs/validation/selinux.md @@ -284,41 +284,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-selinux-disallowed - labels: - app: nginx-selinux - spec: - containers: - - name: nginx - image: nginx - securityContext: - seLinuxOptions: - level: s1:c234,c567 - user: sysadm_u - role: sysadm_r - type: svirt_lxc_net_t - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/selinux/samples/psp-selinux-v2/update.yaml -``` -
diff --git a/website/docs/validation/users.md b/website/docs/validation/users.md index 69d592ca8..0b1ddfb77 100644 --- a/website/docs/validation/users.md +++ b/website/docs/validation/users.md @@ -450,42 +450,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/disallowed_ephemeral.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-users-disallowed - labels: - app: nginx-users - spec: - securityContext: - supplementalGroups: - - 250 - fsGroup: 250 - containers: - - name: nginx - image: nginx - securityContext: - runAsUser: 250 - runAsGroup: 250 - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/users/samples/psp-pods-allowed-user-ranges/update.yaml -``` -
diff --git a/website/docs/validation/volumes.md b/website/docs/validation/volumes.md index b2ed0f55d..f2b8042bd 100644 --- a/website/docs/validation/volumes.md +++ b/website/docs/validation/volumes.md @@ -194,49 +194,6 @@ Usage kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/example_allowed.yaml ``` - -
-update - -```yaml -kind: AdmissionReview -apiVersion: admission.k8s.io/v1beta1 -request: - operation: "UPDATE" - object: - apiVersion: v1 - kind: Pod - metadata: - name: nginx-volume-types-disallowed - labels: - app: nginx-volume-types - spec: - containers: - - name: nginx - image: nginx - volumeMounts: - - mountPath: /cache - name: cache-volume - - name: nginx2 - image: nginx - volumeMounts: - - mountPath: /cache2 - name: demo-vol - volumes: - - name: cache-volume - hostPath: - path: /tmp # directory location on host - - name: demo-vol - emptyDir: {} - -``` - -Usage - -```shell -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/volumes/samples/psp-volume-types/update.yaml -``` -