From a5dc849d8ada67de051262bc16ee4f1f5ba7f7f7 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 27 Sep 2023 13:12:16 +0300
Subject: [PATCH 01/11] Mutation for securityContext
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
...mutation.yaml => mutation-annotation.yaml} | 2 +-
.../samples/mutation-securityContext.yaml | 21 +++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
rename mutation/pod-security-policy/seccomp/samples/{mutation.yaml => mutation-annotation.yaml} (90%)
create mode 100644 mutation/pod-security-policy/seccomp/samples/mutation-securityContext.yaml
diff --git a/mutation/pod-security-policy/seccomp/samples/mutation.yaml b/mutation/pod-security-policy/seccomp/samples/mutation-annotation.yaml
similarity index 90%
rename from mutation/pod-security-policy/seccomp/samples/mutation.yaml
rename to mutation/pod-security-policy/seccomp/samples/mutation-annotation.yaml
index 9b2961222..af12becd6 100644
--- a/mutation/pod-security-policy/seccomp/samples/mutation.yaml
+++ b/mutation/pod-security-policy/seccomp/samples/mutation-annotation.yaml
@@ -1,7 +1,7 @@
apiVersion: mutations.gatekeeper.sh/v1alpha1
kind: AssignMetadata
metadata:
- name: k8spspseccomp
+ name: k8spspseccompannotation
spec:
match:
scope: Namespaced
diff --git a/mutation/pod-security-policy/seccomp/samples/mutation-securityContext.yaml b/mutation/pod-security-policy/seccomp/samples/mutation-securityContext.yaml
new file mode 100644
index 000000000..8a5548c98
--- /dev/null
+++ b/mutation/pod-security-policy/seccomp/samples/mutation-securityContext.yaml
@@ -0,0 +1,21 @@
+apiVersion: mutations.gatekeeper.sh/v1alpha1
+kind: Assign
+metadata:
+ name: k8spspseccompcontext
+spec:
+ applyTo:
+ - groups: [""]
+ kinds: ["Pod"]
+ versions: ["v1"]
+ match:
+ scope: Namespaced
+ kinds:
+ - apiGroups: ["*"]
+ kinds: ["Pod"]
+ location: "spec.securityContext.seccompProfile.type"
+ parameters:
+ pathTests:
+ - subPath: "spec.securityContext.seccompProfile.type"
+ condition: MustNotExist
+ assign:
+ value: RuntimeDefault
From 63e6d1d76822d91156726324df9b329b27fee11c Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 27 Sep 2023 13:47:54 +0300
Subject: [PATCH 02/11] Examples
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../samples/psp-seccomp/example_allowed3.yaml | 13 +++++++++++++
.../samples/psp-seccomp/example_disallowed3.yaml | 13 +++++++++++++
2 files changed, 26 insertions(+)
create mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
create mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
new file mode 100644
index 000000000..c975a5d49
--- /dev/null
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-allowed3
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
new file mode 100644
index 000000000..2b4f167ec
--- /dev/null
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-disallowed3
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
+ containers:
+ - name: nginx
+ image: nginx
From 2a56f1c50337dfb9aeb2e497168ed02c8e82baa4 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 27 Sep 2023 16:27:17 +0300
Subject: [PATCH 03/11] Artifacts
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
website/docs/mutation-examples/seccomp.md | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/website/docs/mutation-examples/seccomp.md b/website/docs/mutation-examples/seccomp.md
index f961c2194..371af42f0 100644
--- a/website/docs/mutation-examples/seccomp.md
+++ b/website/docs/mutation-examples/seccomp.md
@@ -7,23 +7,30 @@ title: seccomp
### Usage
```shell
-kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/mutation/pod-security-policy/seccomp/samples/mutation.yaml
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/mutation/pod-security-policy/seccomp/samples/mutation-securityContext.yaml
```
## Mutation Examples
```yaml
apiVersion: mutations.gatekeeper.sh/v1alpha1
-kind: AssignMetadata
+kind: Assign
metadata:
- name: k8spspseccomp
+ name: k8spspseccompcontext
spec:
+ applyTo:
+ - groups: [""]
+ kinds: ["Pod"]
+ versions: ["v1"]
match:
scope: Namespaced
kinds:
- - apiGroups: [""]
+ - apiGroups: ["*"]
kinds: ["Pod"]
- location: metadata.annotations."seccomp.security.alpha.kubernetes.io/pod"
+ location: "spec.securityContext.seccompProfile.type"
parameters:
+ pathTests:
+ - subPath: "spec.securityContext.seccompProfile.type"
+ condition: MustNotExist
assign:
- value: runtime/default
+ value: RuntimeDefault
```
\ No newline at end of file
From bd1bdbb4cac7dc3522d608251bb46081a97ac447 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 27 Sep 2023 16:47:12 +0300
Subject: [PATCH 04/11] Artifacts
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../1.0.0/samples/psp-seccomp/example_allowed2.yaml | 3 +++
.../samples/psp-seccomp/example_disallowed2.yaml | 3 +++
.../samples/psp-seccomp/example_allowed2.yaml | 3 +++
.../samples/psp-seccomp/example_allowed3.yaml | 13 -------------
.../samples/psp-seccomp/example_disallowed2.yaml | 3 +++
.../samples/psp-seccomp/example_disallowed3.yaml | 13 -------------
website/docs/validation/seccomp.md | 6 ++++++
7 files changed, 18 insertions(+), 26 deletions(-)
delete mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
delete mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
index f8766e774..2fe315041 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
@@ -7,6 +7,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
index 6008d8f72..abd8e852b 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
@@ -7,6 +7,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
containers:
- name: nginx
image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
index f8766e774..2fe315041 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
@@ -7,6 +7,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
deleted file mode 100644
index c975a5d49..000000000
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx-seccomp-allowed3
- labels:
- app: nginx-seccomp
-spec:
- securityContext:
- seccompProfile:
- type: RuntimeDefault
- containers:
- - name: nginx
- image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
index 6008d8f72..abd8e852b 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
@@ -7,6 +7,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
containers:
- name: nginx
image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
deleted file mode 100644
index 2b4f167ec..000000000
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
- name: nginx-seccomp-disallowed3
- labels:
- app: nginx-seccomp
-spec:
- securityContext:
- seccompProfile:
- type: Unconfined
- containers:
- - name: nginx
- image: nginx
diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
index 7fbe4fb59..c5dcfea19 100644
--- a/website/docs/validation/seccomp.md
+++ b/website/docs/validation/seccomp.md
@@ -343,6 +343,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
containers:
- name: nginx
image: nginx
@@ -421,6 +424,9 @@ metadata:
labels:
app: nginx-seccomp
spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
From 6b84a29d4f2fb78cfb51554c6fa94d103080b617 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 27 Sep 2023 17:07:13 +0300
Subject: [PATCH 05/11] Artifacts
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml | 2 +-
.../seccomp/samples/psp-seccomp/example_allowed2.yaml | 2 +-
website/docs/validation/seccomp.md | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
index 2fe315041..692f1d55d 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
@@ -9,7 +9,7 @@ metadata:
spec:
securityContext:
seccompProfile:
- type: RuntimeDefault
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
index 2fe315041..692f1d55d 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
@@ -9,7 +9,7 @@ metadata:
spec:
securityContext:
seccompProfile:
- type: RuntimeDefault
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
index c5dcfea19..72303cefe 100644
--- a/website/docs/validation/seccomp.md
+++ b/website/docs/validation/seccomp.md
@@ -426,7 +426,7 @@ metadata:
spec:
securityContext:
seccompProfile:
- type: RuntimeDefault
+ type: RuntimeDefault
containers:
- name: nginx
image: nginx
From 71cff3d806d08c9b1a0f02f2ec1ac7828e78570b Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Thu, 5 Oct 2023 10:21:19 +0300
Subject: [PATCH 06/11] test suite
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../library/pod-security-policy/seccomp/1.0.0/suite.yaml | 2 +-
library/pod-security-policy/seccomp/suite.yaml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
index 62336b26e..96e0f958b 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
@@ -11,7 +11,7 @@ tests:
object: samples/psp-seccomp/example_disallowed2.yaml
assertions:
- violations: 1
- message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
+ message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
- name: example-disallowed-container
object: samples/psp-seccomp/example_disallowed.yaml
assertions:
diff --git a/library/pod-security-policy/seccomp/suite.yaml b/library/pod-security-policy/seccomp/suite.yaml
index 62336b26e..96e0f958b 100644
--- a/library/pod-security-policy/seccomp/suite.yaml
+++ b/library/pod-security-policy/seccomp/suite.yaml
@@ -11,7 +11,7 @@ tests:
object: samples/psp-seccomp/example_disallowed2.yaml
assertions:
- violations: 1
- message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
+ message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
- name: example-disallowed-container
object: samples/psp-seccomp/example_disallowed.yaml
assertions:
From b2e496e8e297dc787a7da6fd771243fcb06d40cd Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:03:14 +0300
Subject: [PATCH 07/11] new test suites
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../psp-seccomp/example_disallowed2.yaml | 3 -
.../seccomp/1.0.0/suite.yaml | 11 +++-
.../samples/psp-seccomp/example_allowed3.yaml | 13 +++++
.../psp-seccomp/example_disallowed2.yaml | 3 -
.../psp-seccomp/example_disallowed3.yaml | 13 +++++
.../pod-security-policy/seccomp/suite.yaml | 11 +++-
website/docs/validation/seccomp.md | 57 ++++++++++++++++++-
7 files changed, 100 insertions(+), 11 deletions(-)
create mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
create mode 100644 library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
index abd8e852b..6008d8f72 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed2.yaml
@@ -7,9 +7,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: Unconfined
containers:
- name: nginx
image: nginx
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
index 96e0f958b..1411d20c5 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/suite.yaml
@@ -11,7 +11,7 @@ tests:
object: samples/psp-seccomp/example_disallowed2.yaml
assertions:
- violations: 1
- message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
+ message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
- name: example-disallowed-container
object: samples/psp-seccomp/example_disallowed.yaml
assertions:
@@ -30,3 +30,12 @@ tests:
assertions:
- violations: 1
message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx"
+ - name: example-allowed-global-securityContext
+ object: samples/psp-seccomp/example_allowed3.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed-global-securityContext
+ object: samples/psp-seccomp/example_disallowed3.yaml
+ assertions:
+ - violations: 1
+ message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: pod securityContext"
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
new file mode 100644
index 000000000..555aacf6e
--- /dev/null
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-allowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
index abd8e852b..6008d8f72 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed2.yaml
@@ -7,9 +7,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: Unconfined
containers:
- name: nginx
image: nginx
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
new file mode 100644
index 000000000..e08463f18
--- /dev/null
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-disallowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/library/pod-security-policy/seccomp/suite.yaml b/library/pod-security-policy/seccomp/suite.yaml
index 96e0f958b..1411d20c5 100644
--- a/library/pod-security-policy/seccomp/suite.yaml
+++ b/library/pod-security-policy/seccomp/suite.yaml
@@ -11,7 +11,7 @@ tests:
object: samples/psp-seccomp/example_disallowed2.yaml
assertions:
- violations: 1
- message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
+ message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation seccomp.security.alpha.kubernetes.io/pod"
- name: example-disallowed-container
object: samples/psp-seccomp/example_disallowed.yaml
assertions:
@@ -30,3 +30,12 @@ tests:
assertions:
- violations: 1
message: "Seccomp profile 'unconfined' is not allowed for container 'nginx'. Found at: annotation container.seccomp.security.alpha.kubernetes.io/nginx"
+ - name: example-allowed-global-securityContext
+ object: samples/psp-seccomp/example_allowed3.yaml
+ assertions:
+ - violations: no
+ - name: example-disallowed-global-securityContext
+ object: samples/psp-seccomp/example_disallowed3.yaml
+ assertions:
+ - violations: 1
+ message: "Seccomp profile 'Unconfined' is not allowed for container 'nginx'. Found at: pod securityContext"
diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
index 72303cefe..38868864f 100644
--- a/website/docs/validation/seccomp.md
+++ b/website/docs/validation/seccomp.md
@@ -343,9 +343,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: Unconfined
containers:
- name: nginx
image: nginx
@@ -465,6 +462,60 @@ Usage
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/seccomp/samples/psp-seccomp/disallowed_ephemeral.yaml
```
+
+
+example-allowed-global-securityContext
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-allowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: nginx
+ image: nginx
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
+```
+
+
+
+example-disallowed-global-securityContext
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-disallowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
+ containers:
+ - name: nginx
+ image: nginx
+
+```
+
+Usage
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
+```
+
From eca75af2c795ecd7f56a89176e7bdc58eadacc9b Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:03:28 +0300
Subject: [PATCH 08/11] new test suites
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../1.0.0/samples/psp-seccomp/example_allowed3.yaml | 13 +++++++++++++
.../samples/psp-seccomp/example_disallowed3.yaml | 13 +++++++++++++
2 files changed, 26 insertions(+)
create mode 100644 artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
create mode 100644 artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
new file mode 100644
index 000000000..555aacf6e
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-allowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: nginx
+ image: nginx
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
new file mode 100644
index 000000000..e08463f18
--- /dev/null
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+ name: nginx-seccomp-disallowed2
+ labels:
+ app: nginx-seccomp
+spec:
+ securityContext:
+ seccompProfile:
+ type: Unconfined
+ containers:
+ - name: nginx
+ image: nginx
From e17acb195a3ab73790ade8e24d2a780de342337e Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:07:48 +0300
Subject: [PATCH 09/11] new test suites
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml | 2 +-
.../1.0.0/samples/psp-seccomp/example_disallowed3.yaml | 2 +-
.../seccomp/samples/psp-seccomp/example_allowed3.yaml | 2 +-
.../seccomp/samples/psp-seccomp/example_disallowed3.yaml | 2 +-
website/docs/validation/seccomp.md | 4 ++--
5 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
index 555aacf6e..722455830 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed3.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-allowed2
+ name: nginx-seccomp-allowed3
labels:
app: nginx-seccomp
spec:
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
index e08463f18..2b4f167ec 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_disallowed3.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-disallowed2
+ name: nginx-seccomp-disallowed3
labels:
app: nginx-seccomp
spec:
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
index 555aacf6e..722455830 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed3.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-allowed2
+ name: nginx-seccomp-allowed3
labels:
app: nginx-seccomp
spec:
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
index e08463f18..2b4f167ec 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_disallowed3.yaml
@@ -1,7 +1,7 @@
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-disallowed2
+ name: nginx-seccomp-disallowed3
labels:
app: nginx-seccomp
spec:
diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
index 38868864f..5202dbd9c 100644
--- a/website/docs/validation/seccomp.md
+++ b/website/docs/validation/seccomp.md
@@ -470,7 +470,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-allowed2
+ name: nginx-seccomp-allowed3
labels:
app: nginx-seccomp
spec:
@@ -497,7 +497,7 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-
apiVersion: v1
kind: Pod
metadata:
- name: nginx-seccomp-disallowed2
+ name: nginx-seccomp-disallowed3
labels:
app: nginx-seccomp
spec:
From ae5d19ff684ac993d66871eb84a6550ba84929a0 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:14:22 +0300
Subject: [PATCH 10/11] test suites fix
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../seccomp/samples/psp-seccomp/example_allowed2.yaml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
index 692f1d55d..f8766e774 100644
--- a/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
+++ b/library/pod-security-policy/seccomp/samples/psp-seccomp/example_allowed2.yaml
@@ -7,9 +7,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: RuntimeDefault
containers:
- name: nginx
image: nginx
From 7d1e7967e2e1a0b5baadc0a6cca2512a59404a69 Mon Sep 17 00:00:00 2001
From: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
Date: Wed, 11 Oct 2023 11:15:31 +0300
Subject: [PATCH 11/11] test suites fix
Signed-off-by: Aleksandr Arefev <39635005+alexarefev@users.noreply.github.com>
---
.../seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml | 3 ---
website/docs/validation/seccomp.md | 3 ---
2 files changed, 6 deletions(-)
diff --git a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
index 692f1d55d..f8766e774 100644
--- a/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
+++ b/artifacthub/library/pod-security-policy/seccomp/1.0.0/samples/psp-seccomp/example_allowed2.yaml
@@ -7,9 +7,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: RuntimeDefault
containers:
- name: nginx
image: nginx
diff --git a/website/docs/validation/seccomp.md b/website/docs/validation/seccomp.md
index 5202dbd9c..32fb4b802 100644
--- a/website/docs/validation/seccomp.md
+++ b/website/docs/validation/seccomp.md
@@ -421,9 +421,6 @@ metadata:
labels:
app: nginx-seccomp
spec:
- securityContext:
- seccompProfile:
- type: RuntimeDefault
containers:
- name: nginx
image: nginx