Merge pull request #22346 from tengqm/zh-fix-examples

[zh] fix examples test

content/zh/examples/admin/sched/my-scheduler.yaml

@@ -17,6 +17,19 @@ roleRef:
   name: system:kube-scheduler
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-scheduler-as-volume-scheduler
+subjects:
+- kind: ServiceAccount
+  name: my-scheduler
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: system:volume-scheduler
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:

content/zh/examples/application/deployment-retainkeys.yaml

@@ -0,0 +1,19 @@
+apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
+kind: Deployment
+metadata:
+  name: retainkeys-demo
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  strategy:
+    rollingUpdate:
+      maxSurge: 30%
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: retainkeys-demo-ctr
+        image: nginx

content/zh/examples/controllers/fluentd-daemonset-update.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluentd-elasticsearch
+  namespace: kube-system
+  labels:
+    k8s-app: fluentd-logging
+spec:
+  selector:
+    matchLabels:
+      name: fluentd-elasticsearch
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        name: fluentd-elasticsearch
+    spec:
+      tolerations:
+      # this toleration is to have the daemonset runnable on master nodes
+      # remove it if your masters can't run pods
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+      - name: fluentd-elasticsearch
+        image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
+        resources:
+          limits:
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        volumeMounts:
+        - name: varlog
+          mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: varlog
+        hostPath:
+          path: /var/log
+      - name: varlibdockercontainers
+        hostPath:
+          path: /var/lib/docker/containers

content/zh/examples/controllers/fluentd-daemonset.yaml

@@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: fluentd-elasticsearch
+  namespace: kube-system
+  labels:
+    k8s-app: fluentd-logging
+spec:
+  selector:
+    matchLabels:
+      name: fluentd-elasticsearch
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        name: fluentd-elasticsearch
+    spec:
+      tolerations:
+      # this toleration is to have the daemonset runnable on master nodes
+      # remove it if your masters can't run pods
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      containers:
+      - name: fluentd-elasticsearch
+        image: quay.io/fluentd_elasticsearch/fluentd:v2.5.2
+        volumeMounts:
+        - name: varlog
+          mountPath: /var/log
+        - name: varlibdockercontainers
+          mountPath: /var/lib/docker/containers
+          readOnly: true
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: varlog
+        hostPath:
+          path: /var/log
+      - name: varlibdockercontainers
+        hostPath:
+          path: /var/lib/docker/containers

content/zh/examples/examples_test.go

@@ -28,34 +28,105 @@ import (
 	"testing"
 
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/apimachinery/pkg/util/yaml"
-	utilfeature "k8s.io/apiserver/pkg/util/feature"
+	// "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
-	"k8s.io/kubernetes/pkg/api/testapi"
+
 	"k8s.io/kubernetes/pkg/apis/apps"
 	apps_validation "k8s.io/kubernetes/pkg/apis/apps/validation"
+
 	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	autoscaling_validation "k8s.io/kubernetes/pkg/apis/autoscaling/validation"
+
 	"k8s.io/kubernetes/pkg/apis/batch"
 	batch_validation "k8s.io/kubernetes/pkg/apis/batch/validation"
+
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/apis/core/validation"
-	"k8s.io/kubernetes/pkg/apis/extensions"
-	ext_validation "k8s.io/kubernetes/pkg/apis/extensions/validation"
+
+	"k8s.io/kubernetes/pkg/apis/networking"
+	networking_validation "k8s.io/kubernetes/pkg/apis/networking/validation"
+
 	"k8s.io/kubernetes/pkg/apis/policy"
 	policy_validation "k8s.io/kubernetes/pkg/apis/policy/validation"
+
 	"k8s.io/kubernetes/pkg/apis/rbac"
 	rbac_validation "k8s.io/kubernetes/pkg/apis/rbac/validation"
+
 	"k8s.io/kubernetes/pkg/apis/settings"
 	settings_validation "k8s.io/kubernetes/pkg/apis/settings/validation"
+
 	"k8s.io/kubernetes/pkg/apis/storage"
 	storage_validation "k8s.io/kubernetes/pkg/apis/storage/validation"
+
 	"k8s.io/kubernetes/pkg/capabilities"
 	"k8s.io/kubernetes/pkg/registry/batch/job"
+
+	// initialize install packages
+	_ "k8s.io/kubernetes/pkg/apis/apps/install"
+	_ "k8s.io/kubernetes/pkg/apis/autoscaling/install"
+	_ "k8s.io/kubernetes/pkg/apis/batch/install"
+	_ "k8s.io/kubernetes/pkg/apis/core/install"
+	_ "k8s.io/kubernetes/pkg/apis/networking/install"
+	_ "k8s.io/kubernetes/pkg/apis/policy/install"
+	_ "k8s.io/kubernetes/pkg/apis/rbac/install"
+	_ "k8s.io/kubernetes/pkg/apis/settings/install"
+	_ "k8s.io/kubernetes/pkg/apis/storage/install"
 )
 
+var (
+	Groups     map[string]TestGroup
+	serializer runtime.SerializerInfo
+)
+
+// TestGroup contains GroupVersion to uniquely identify the API
+type TestGroup struct {
+	externalGroupVersion schema.GroupVersion
+}
+
+// GroupVersion makes copy of schema.GroupVersion
+func (g TestGroup) GroupVersion() *schema.GroupVersion {
+	copyOfGroupVersion := g.externalGroupVersion
+	return &copyOfGroupVersion
+}
+
+// Codec returns the codec for the API version to test against
+func (g TestGroup) Codec() runtime.Codec {
+	if serializer.Serializer == nil {
+		return legacyscheme.Codecs.LegacyCodec(g.externalGroupVersion)
+	}
+	return legacyscheme.Codecs.CodecForVersions(serializer.Serializer, legacyscheme.Codecs.UniversalDeserializer(), schema.GroupVersions{g.externalGroupVersion}, nil)
+}
+
+func initGroups() {
+	Groups = make(map[string]TestGroup)
+
+	groupNames := []string{
+		api.GroupName,
+		apps.GroupName,
+		autoscaling.GroupName,
+		batch.GroupName,
+		networking.GroupName,
+		policy.GroupName,
+		rbac.GroupName,
+		settings.GroupName,
+		storage.GroupName,
+	}
+
+	for _, gn := range groupNames {
+		versions := legacyscheme.Scheme.PrioritizedVersionsForGroup(gn)
+		Groups[gn] = TestGroup{
+			externalGroupVersion: schema.GroupVersion{
+				Group:   gn,
+				Version: versions[0].Version,
+			},
+		}
+	}
+}
+
 func getCodecForObject(obj runtime.Object) (runtime.Codec, error) {
 	kinds, _, err := legacyscheme.Scheme.ObjectKinds(obj)
 	if err != nil {
@@ -63,7 +134,7 @@ func getCodecForObject(obj runtime.Object) (runtime.Codec, error) {
 	}
 	kind := kinds[0]
 
-	for _, group := range testapi.Groups {
+	for _, group := range Groups {
 		if group.GroupVersion().Group != kind.Group {
 			continue
 		}
@@ -85,7 +156,7 @@ func getCodecForObject(obj runtime.Object) (runtime.Codec, error) {
 
 func validateObject(obj runtime.Object) (errors field.ErrorList) {
 	// Enable CustomPodDNS for testing
-	utilfeature.DefaultFeatureGate.Set("CustomPodDNS=true")
+	// feature.DefaultFeatureGate.Set("CustomPodDNS=true")
 	switch t := obj.(type) {
 	case *api.ConfigMap:
 		if t.Namespace == "" {
@@ -96,7 +167,7 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
 		}
-		errors = validation.ValidateEndpoints(t)
+		errors = validation.ValidateEndpointsCreate(t)
 	case *api.LimitRange:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -115,7 +186,10 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
 		}
-		errors = validation.ValidatePod(t)
+		opts := validation.PodValidationOptions{
+			AllowMultipleHugePageResources: true,
+		}
+		errors = validation.ValidatePod(t, opts)
 	case *api.PodList:
 		for i := range t.Items {
 			errors = append(errors, validateObject(&t.Items[i])...)
@@ -148,7 +222,7 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
 		}
-		errors = validation.ValidateService(t)
+		errors = validation.ValidateService(t, true)
 	case *api.ServiceAccount:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -189,11 +263,15 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 			t.Namespace = api.NamespaceDefault
 		}
 		errors = apps_validation.ValidateDeployment(t)
-	case *extensions.Ingress:
+	case *networking.Ingress:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
 		}
-		errors = ext_validation.ValidateIngress(t)
+		gv := schema.GroupVersion{
+			Group:   networking.GroupName,
+			Version: legacyscheme.Scheme.PrioritizedVersionsForGroup(networking.GroupName)[0].Version,
+		}
+		errors = networking_validation.ValidateIngressCreate(t, gv)
 	case *policy.PodSecurityPolicy:
 		errors = policy_validation.ValidatePodSecurityPolicy(t)
 	case *apps.ReplicaSet:
@@ -206,6 +284,11 @@ func validateObject(obj runtime.Object) (errors field.ErrorList) {
 			t.Namespace = api.NamespaceDefault
 		}
 		errors = batch_validation.ValidateCronJob(t)
+	case *networking.NetworkPolicy:
+		if t.Namespace == "" {
+			t.Namespace = api.NamespaceDefault
+		}
+		errors = networking_validation.ValidateNetworkPolicy(t)
 	case *policy.PodDisruptionBudget:
 		if t.Namespace == "" {
 			t.Namespace = api.NamespaceDefault
@@ -247,10 +330,6 @@ func walkConfigFiles(inDir string, t *testing.T, fn func(name, path string, data
 			if err != nil {
 				return err
 			}
-			// workaround for Jekyllr limit
-			if bytes.HasPrefix(data, []byte("---\n")) {
-				return fmt.Errorf("YAML file cannot start with \"---\", please remove the first line")
-			}
 			name := strings.TrimSuffix(file, ext)
 
 			var docs [][]byte
@@ -286,11 +365,14 @@ func walkConfigFiles(inDir string, t *testing.T, fn func(name, path string, data
 }
 
 func TestExampleObjectSchemas(t *testing.T) {
+	initGroups()
+
 	// Please help maintain the alphabeta order in the map
 	cases := map[string]map[string][]runtime.Object{
 		"admin": {
-			"namespace-dev":  {&api.Namespace{}},
-			"namespace-prod": {&api.Namespace{}},
+			"namespace-dev":        {&api.Namespace{}},
+			"namespace-prod":       {&api.Namespace{}},
+			"snowflake-deployment": {&apps.Deployment{}},
 		},
 		"admin/cloud": {
 			"ccm-example": {&api.ServiceAccount{}, &rbac.ClusterRoleBinding{}, &apps.DaemonSet{}},
@@ -298,6 +380,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 		"admin/dns": {
 			"busybox":                   {&api.Pod{}},
 			"dns-horizontal-autoscaler": {&apps.Deployment{}},
+			"dnsutils":                  {&api.Pod{}},
 		},
 		"admin/logging": {
 			"fluentd-sidecar-config":                  {&api.ConfigMap{}},
@@ -343,21 +426,23 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"storagelimits":            {&api.LimitRange{}},
 		},
 		"admin/sched": {
-			"my-scheduler": {&api.ServiceAccount{}, &rbac.ClusterRoleBinding{}, &apps.Deployment{}},
+			"my-scheduler": {&api.ServiceAccount{}, &rbac.ClusterRoleBinding{}, &rbac.ClusterRoleBinding{}, &apps.Deployment{}},
 			"pod1":         {&api.Pod{}},
 			"pod2":         {&api.Pod{}},
 			"pod3":         {&api.Pod{}},
 		},
 		"application": {
-			"deployment":         {&apps.Deployment{}},
-			"deployment-patch":   {&apps.Deployment{}},
-			"deployment-scale":   {&apps.Deployment{}},
-			"deployment-update":  {&apps.Deployment{}},
-			"nginx-app":          {&api.Service{}, &apps.Deployment{}},
-			"nginx-with-request": {&apps.Deployment{}},
-			"shell-demo":         {&api.Pod{}},
-			"simple_deployment":  {&apps.Deployment{}},
-			"update_deployment":  {&apps.Deployment{}},
+			"deployment":            {&apps.Deployment{}},
+			"deployment-patch":      {&apps.Deployment{}},
+			"deployment-retainkeys": {&apps.Deployment{}},
+			"deployment-scale":      {&apps.Deployment{}},
+			"deployment-update":     {&apps.Deployment{}},
+			"nginx-app":             {&api.Service{}, &apps.Deployment{}},
+			"nginx-with-request":    {&apps.Deployment{}},
+			"php-apache":            {&apps.Deployment{}, &api.Service{}},
+			"shell-demo":            {&api.Pod{}},
+			"simple_deployment":     {&apps.Deployment{}},
+			"update_deployment":     {&apps.Deployment{}},
 		},
 		"application/cassandra": {
 			"cassandra-service":     {&api.Service{}},
@@ -413,15 +498,17 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"configmap-multikeys": {&api.ConfigMap{}},
 		},
 		"controllers": {
-			"daemonset":               {&apps.DaemonSet{}},
-			"frontend":                {&apps.ReplicaSet{}},
-			"hpa-rs":                  {&autoscaling.HorizontalPodAutoscaler{}},
-			"job":                     {&batch.Job{}},
-			"replicaset":              {&apps.ReplicaSet{}},
-			"replication":             {&api.ReplicationController{}},
-			"replication-nginx-1.7.9": {&api.ReplicationController{}},
-			"replication-nginx-1.9.2": {&api.ReplicationController{}},
-			"nginx-deployment":        {&apps.Deployment{}},
+			"daemonset":                {&apps.DaemonSet{}},
+			"fluentd-daemonset":        {&apps.DaemonSet{}},
+			"fluentd-daemonset-update": {&apps.DaemonSet{}},
+			"frontend":                 {&apps.ReplicaSet{}},
+			"hpa-rs":                   {&autoscaling.HorizontalPodAutoscaler{}},
+			"job":                      {&batch.Job{}},
+			"replicaset":               {&apps.ReplicaSet{}},
+			"replication":              {&api.ReplicationController{}},
+			"replication-nginx-1.14.2": {&api.ReplicationController{}},
+			"replication-nginx-1.16.1": {&api.ReplicationController{}},
+			"nginx-deployment":         {&apps.Deployment{}},
 		},
 		"debug": {
 			"counter-pod":                     {&api.Pod{}},
@@ -455,6 +542,8 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"pod-configmap-volume":                {&api.Pod{}},
 			"pod-configmap-volume-specific-key":   {&api.Pod{}},
 			"pod-multiple-configmap-env-variable": {&api.Pod{}},
+			"pod-nginx-preferred-affinity":        {&api.Pod{}},
+			"pod-nginx-required-affinity":         {&api.Pod{}},
 			"pod-nginx-specific-node":             {&api.Pod{}},
 			"pod-nginx":                           {&api.Pod{}},
 			"pod-projected-svc-token":             {&api.Pod{}},
@@ -462,6 +551,7 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"pod-single-configmap-env-variable":   {&api.Pod{}},
 			"pod-with-node-affinity":              {&api.Pod{}},
 			"pod-with-pod-affinity":               {&api.Pod{}},
+			"pod-with-toleration":                 {&api.Pod{}},
 			"private-reg-pod":                     {&api.Pod{}},
 			"share-process-namespace":             {&api.Pod{}},
 			"simple-pod":                          {&api.Pod{}},
@@ -471,14 +561,17 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"redis-pod": {&api.Pod{}},
 		},
 		"pods/inject": {
-			"dapi-envars-container": {&api.Pod{}},
-			"dapi-envars-pod":       {&api.Pod{}},
-			"dapi-volume":           {&api.Pod{}},
-			"dapi-volume-resources": {&api.Pod{}},
-			"envars":                {&api.Pod{}},
-			"secret":                {&api.Secret{}},
-			"secret-envars-pod":     {&api.Pod{}},
-			"secret-pod":            {&api.Pod{}},
+			"dapi-envars-container":            {&api.Pod{}},
+			"dapi-envars-pod":                  {&api.Pod{}},
+			"dapi-volume":                      {&api.Pod{}},
+			"dapi-volume-resources":            {&api.Pod{}},
+			"envars":                           {&api.Pod{}},
+			"pod-multiple-secret-env-variable": {&api.Pod{}},
+			"pod-secret-envFrom":               {&api.Pod{}},
+			"pod-single-secret-env-variable":   {&api.Pod{}},
+			"secret":                           {&api.Secret{}},
+			"secret-envars-pod":                {&api.Pod{}},
+			"secret-pod":                       {&api.Pod{}},
 		},
 		"pods/probe": {
 			"exec-liveness":                   {&api.Pod{}},
@@ -517,38 +610,53 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"redis":     {&api.Pod{}},
 		},
 		"policy": {
+			"baseline-psp":   {&policy.PodSecurityPolicy{}},
+			"example-psp":    {&policy.PodSecurityPolicy{}},
 			"privileged-psp": {&policy.PodSecurityPolicy{}},
 			"restricted-psp": {&policy.PodSecurityPolicy{}},
-			"example-psp":    {&policy.PodSecurityPolicy{}},
 			"zookeeper-pod-disruption-budget-maxunavailable": {&policy.PodDisruptionBudget{}},
-			"zookeeper-pod-disruption-budget-minunavailable": {&policy.PodDisruptionBudget{}},
+			"zookeeper-pod-disruption-budget-minavailable":   {&policy.PodDisruptionBudget{}},
 		},
 		"service": {
-			"nginx-service": {&api.Service{}},
+			"nginx-service":         {&api.Service{}},
+			"load-balancer-example": {&apps.Deployment{}},
 		},
 		"service/access": {
-			"frontend":      {&api.Service{}, &apps.Deployment{}},
-			"hello-service": {&api.Service{}},
-			"hello":         {&apps.Deployment{}},
+			"frontend":          {&api.Service{}, &apps.Deployment{}},
+			"hello-application": {&apps.Deployment{}},
+			"hello-service":     {&api.Service{}},
+			"hello":             {&apps.Deployment{}},
 		},
 		"service/networking": {
-			"curlpod":          {&apps.Deployment{}},
-			"custom-dns":       {&api.Pod{}},
-			"hostaliases-pod":  {&api.Pod{}},
-			"ingress":          {&extensions.Ingress{}},
-			"nginx-secure-app": {&api.Service{}, &apps.Deployment{}},
-			"nginx-svc":        {&api.Service{}},
-			"run-my-nginx":     {&apps.Deployment{}},
+			"curlpod":                             {&apps.Deployment{}},
+			"custom-dns":                          {&api.Pod{}},
+			"dual-stack-default-svc":              {&api.Service{}},
+			"dual-stack-ipv4-svc":                 {&api.Service{}},
+			"dual-stack-ipv6-lb-svc":              {&api.Service{}},
+			"dual-stack-ipv6-svc":                 {&api.Service{}},
+			"hostaliases-pod":                     {&api.Pod{}},
+			"ingress":                             {&networking.Ingress{}},
+			"network-policy-allow-all-egress":     {&networking.NetworkPolicy{}},
+			"network-policy-allow-all-ingress":    {&networking.NetworkPolicy{}},
+			"network-policy-default-deny-egress":  {&networking.NetworkPolicy{}},
+			"network-policy-default-deny-ingress": {&networking.NetworkPolicy{}},
+			"network-policy-default-deny-all":     {&networking.NetworkPolicy{}},
+			"nginx-policy":                        {&networking.NetworkPolicy{}},
+			"nginx-secure-app":                    {&api.Service{}, &apps.Deployment{}},
+			"nginx-svc":                           {&api.Service{}},
+			"run-my-nginx":                        {&apps.Deployment{}},
 		},
 		"windows": {
-			"configmap-pod":       {&api.ConfigMap{}, &api.Pod{}},
-			"daemonset":           {&apps.DaemonSet{}},
-			"deploy-hyperv":       {&apps.Deployment{}},
-			"deploy-resource":     {&apps.Deployment{}},
-			"emptydir-pod":        {&api.Pod{}},
-			"hostpath-volume-pod": {&api.Pod{}},
-			"secret-pod":          {&api.Secret{}, &api.Pod{}},
-			"simple-pod":          {&api.Pod{}},
+			"configmap-pod":             {&api.ConfigMap{}, &api.Pod{}},
+			"daemonset":                 {&apps.DaemonSet{}},
+			"deploy-hyperv":             {&apps.Deployment{}},
+			"deploy-resource":           {&apps.Deployment{}},
+			"emptydir-pod":              {&api.Pod{}},
+			"hostpath-volume-pod":       {&api.Pod{}},
+			"run-as-username-container": {&api.Pod{}},
+			"run-as-username-pod":       {&api.Pod{}},
+			"secret-pod":                {&api.Secret{}, &api.Pod{}},
+			"simple-pod":                {&api.Pod{}},
 		},
 	}
 

content/zh/examples/policy/baseline-psp.yaml

@@ -0,0 +1,74 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: baseline
+  annotations:
+    # Optional: Allow the default AppArmor profile, requires setting the default.
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    # Optional: Allow the default seccomp profile, requires setting the default.
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default,unconfined'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'unconfined'
+spec:
+  privileged: false
+  # The moby default capability set, defined here:
+  # https://github.com/moby/moby/blob/0a5cec2833f82a6ad797d70acbf9cbbaf8956017/oci/caps/defaults.go#L6-L19
+  allowedCapabilities:
+    - 'CHOWN'
+    - 'DAC_OVERRIDE'
+    - 'FSETID'
+    - 'FOWNER'
+    - 'MKNOD'
+    - 'NET_RAW'
+    - 'SETGID'
+    - 'SETUID'
+    - 'SETFCAP'
+    - 'SETPCAP'
+    - 'NET_BIND_SERVICE'
+    - 'SYS_CHROOT'
+    - 'KILL'
+    - 'AUDIT_WRITE'
+  # Allow all volume types except hostpath
+  volumes:
+    # 'core' volume types
+    - 'configMap'
+    - 'emptyDir'
+    - 'projected'
+    - 'secret'
+    - 'downwardAPI'
+    # Assume that persistentVolumes set up by the cluster admin are safe to use.
+    - 'persistentVolumeClaim'
+    # Allow all other non-hostpath volume types.
+    - 'awsElasticBlockStore'
+    - 'azureDisk'
+    - 'azureFile'
+    - 'cephFS'
+    - 'cinder'
+    - 'csi'
+    - 'fc'
+    - 'flexVolume'
+    - 'flocker'
+    - 'gcePersistentDisk'
+    - 'gitRepo'
+    - 'glusterfs'
+    - 'iscsi'
+    - 'nfs'
+    - 'photonPersistentDisk'
+    - 'portworxVolume'
+    - 'quobyte'
+    - 'rbd'
+    - 'scaleIO'
+    - 'storageos'
+    - 'vsphereVolume'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  readOnlyRootFilesystem: false
+  runAsUser:
+    rule: 'RunAsAny'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'RunAsAny'
+  fsGroup:
+    rule: 'RunAsAny'

content/zh/examples/service/networking/network-policy-allow-all-egress.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

content/zh/examples/service/networking/network-policy-allow-all-ingress.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

content/zh/examples/service/networking/network-policy-default-deny-all.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

content/zh/examples/service/networking/network-policy-default-deny-egress.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

content/zh/examples/service/networking/network-policy-default-deny-ingress.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata: