add yaml example for each category (#185)

* add yaml example for each category

Author: aabughosh

examples/accesscontrol/secContextCategory1.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  labels:
+    run: secontextpodcat1
+    app: test
+    test-network-function.com/generic: target
+    test-network-function.com/container: target
+  name: secontextpodcat1
+  namespace: tnf
+spec:
+  automountServiceAccountToken: false
+  securityContext:
+    runAsUser: 1000900000
+    runAsGroup: 1000900000
+    fsGroup: 1000900000
+  containers:
+    - image: quay.io/testnetworkfunction/cnf-test-partner:latest
+      name: test
+      resources: {}
+      securityContext:
+        seLinuxOptions:
+          level: "s0:c30,c15"
+        capabilities:
+          drop: ["KILL", "MKNOD", "SETUID", "SETGID"]
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: false
+        privileged: false
+  dnsPolicy: ClusterFirst
+  restartPolicy: Always

examples/accesscontrol/secContextCategory1UId0.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  labels:
+    run: secontextpodcat1uid0
+    app: test
+    test-network-function.com/generic: target
+    test-network-function.com/container: target
+  name: secontextpodcat1uid0
+  namespace: tnf
+spec:
+  automountServiceAccountToken: false
+  securityContext:
+    runAsUser: 1000900000
+    runAsGroup: 1000900000
+    fsGroup: 1000900000
+  containers:
+    - image: quay.io/testnetworkfunction/cnf-test-partner:latest
+      name: test
+      resources: {}
+      securityContext:
+        seLinuxOptions:
+          level: "s0:c30,c15"
+        capabilities:
+          drop: ["KILL", "MKNOD", "SETUID", "SETGID"]
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: false
+        privileged: false
+  dnsPolicy: ClusterFirst
+  restartPolicy: Always

examples/accesscontrol/secContextCategory2.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  labels:
+    run: secontextpodcat2
+    app: test
+    test-network-function.com/generic: target
+    test-network-function.com/container: target
+  name: secontextpodcat2
+  namespace: tnf
+spec:
+  automountServiceAccountToken: false
+  securityContext:
+    runAsUser: 1000900000
+    runAsGroup: 1000900000
+    fsGroup: 1000900000
+  containers:
+    - image: quay.io/testnetworkfunction/cnf-test-partner:latest
+      name: test
+      resources: {}
+      securityContext:
+        seLinuxOptions:
+          level: "s0:c30,c15"
+        capabilities:
+          drop: ["KILL", "MKNOD", "SETUID", "SETGID"]
+          add: ["NET_ADMIN", "NET_RAW"]
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: false
+        privileged: false
+  dnsPolicy: ClusterFirst
+  restartPolicy: Always

examples/accesscontrol/secContextCategory3.yaml

@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  creationTimestamp: null
+  labels:
+    run: secontextpodcat3
+    app: test
+    test-network-function.com/generic: target
+    test-network-function.com/container: target
+  name: secontextpodcat3
+  namespace: tnf
+spec:
+  automountServiceAccountToken: false
+  securityContext:
+    runAsUser: 1000900000
+    runAsGroup: 1000900000
+    fsGroup: 1000900000
+  containers:
+    - image: quay.io/testnetworkfunction/cnf-test-partner:latest
+      name: test
+      resources: {}
+      securityContext:
+        seLinuxOptions:
+          level: "s0:c30,c15"
+        capabilities:
+          drop: ["KILL", "MKNOD", "SETUID", "SETGID"]
+          add: ["NET_ADMIN", "NET_RAW", "IPC_LOCK"]
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: false
+        privileged: false
+  dnsPolicy: ClusterFirst
+  restartPolicy: Always