weinong/az.yaml

## az.yaml
apiVersion: v1
kind: Pod
metadata:
  name: az-cli
spec:
  containers:
    - image: mcr.microsoft.com/azure-cli
      name: oidc
      command:
      - sleep
      - "6000"

## bash.yaml
apiVersion: v1
kind: Pod
metadata:
  name: bash
  labels:
    app: bash
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: bash
      image: bash
      command: [ "/usr/local/bin/bash", "-c", "--" ]
      args: [ "trap : TERM INT; sleep 9999999999d & wait" ]

## gistfile1.txt
apiVersion: v1
kind: Pod
metadata:
  name: pod-shell
spec:
  containers:
    - image: mcr.microsoft.com/cbl-mariner/base/core:2.0
      name: pod-shell
      command:
      - sleep
      - "6000"

## pod-with-projected-sa.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
---
apiVersion: v1
kind: Pod
metadata:
  name: mariner
spec:
  serviceAccountName: test-sa
  containers:
    - name: shell
      image: mcr.microsoft.com/cbl-mariner/base/core:2.0
      command: ["bash", "-c", "--"]
      args: ["trap : TERM INT; sleep 9999999999d & wait"]
      volumeMounts:
        - name: token-vol
          mountPath: "/var/run/secrets/tokens"
          readOnly: true
  volumes:
    - name: token-vol
      projected:
        sources:
          - serviceAccountToken:
              path: test-sa
              expirationSeconds: 7200
              audience: api://AzureADTokenExchange

## ubuntu-priv.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu-priv
spec:
  selector:
    matchLabels:
      app: ubuntu-priv
  replicas: 1
  template:
    metadata:
      labels:
        app: ubuntu-priv
    spec:
      containers:
      - name: ubuntu-priv
        image: ubuntu
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "trap : TERM INT; sleep 9999999999d & wait" ]
        securityContext:
          privileged: true

## ubuntu.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ubuntu
spec:
  selector:
    matchLabels:
      app: ubuntu
  replicas: 1
  template:
    metadata:
      labels:
        app: ubuntu
    spec:
      containers:
      - name: ubuntu
        image: ubuntu
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "trap : TERM INT; sleep 9999999999d & wait" ]
	apiVersion: v1
	kind: Pod
	metadata:
	name: az-cli
	spec:
	containers:
	- image: mcr.microsoft.com/azure-cli
	name: oidc
	command:
	- sleep
	- "6000"
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: test-sa
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: mariner
	spec:
	serviceAccountName: test-sa
	containers:
	- name: shell
	image: mcr.microsoft.com/cbl-mariner/base/core:2.0
	command: ["bash", "-c", "--"]
	args: ["trap : TERM INT; sleep 9999999999d & wait"]
	volumeMounts:
	- name: token-vol
	mountPath: "/var/run/secrets/tokens"
	readOnly: true
	volumes:
	- name: token-vol
	projected:
	sources:
	- serviceAccountToken:
	path: test-sa
	expirationSeconds: 7200
	audience: api://AzureADTokenExchange
	apiVersion: apps/v1
	kind: Deployment
	metadata:
	name: ubuntu-priv
	spec:
	selector:
	matchLabels:
	app: ubuntu-priv
	replicas: 1
	template:
	metadata:
	labels:
	app: ubuntu-priv
	spec:
	containers:
	- name: ubuntu-priv
	image: ubuntu
	command: [ "/bin/bash", "-c", "--" ]
	args: [ "trap : TERM INT; sleep 9999999999d & wait" ]
	securityContext:
	privileged: true