init

02-validation/02-security/test-resources/pod-insecure.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-insecure
+  namespace: default
+spec:
+  hostNetwork: true          # нарушение: host namespace
+  hostPID: true              # нарушение: host namespace
+  containers:
+  - name: app
+    image: nginx:1.25.3
+    securityContext:
+      privileged: true       # нарушение: привилегированный контейнер
+      runAsUser: 0           # нарушение: запуск от root
+      capabilities:
+        add:
+        - SYS_ADMIN          # нарушение: опасная capability
+    resources:
+      limits:
+        memory: "128Mi"
+        cpu: "100m"

02-validation/02-security/test-resources/pod-secure.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-secure
+  namespace: default
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    seccompProfile:
+      type: RuntimeDefault
+  automountServiceAccountToken: false
+  containers:
+  - name: app
+    image: nginx:1.25.3
+    securityContext:
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+        - ALL
+    resources:
+      requests:
+        memory: "64Mi"
+        cpu: "50m"
+      limits:
+        memory: "128Mi"
+        cpu: "100m"