diff --git a/helm/kyverno-policies/charts/kyverno-policies/.helmignore b/helm/kyverno-policies/charts/kyverno-policies/.helmignore
index 20b07486..85df807a 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/.helmignore
+++ b/helm/kyverno-policies/charts/kyverno-policies/.helmignore
@@ -1,2 +1,3 @@
+.helmignore
ci/
README.md.gotmpl
diff --git a/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml b/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml
index 1c41bfc5..60053a78 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml
@@ -1,8 +1,8 @@
apiVersion: v2
type: application
name: kyverno-policies
-version: 3.0.4
-appVersion: v1.10.3
+version: 3.2.2
+appVersion: v1.12.2
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies
keywords:
@@ -15,19 +15,9 @@ home: https://kyverno.io/policies/
sources:
- https://github.com/kyverno/policies
maintainers:
- - name: Nirmata
- url: https://kyverno.io/
-kubeVersion: ">=1.16.0-0"
+ - name: kyverno-maintainers
+ email: cncf-kyverno-maintainers@lists.cncf.io
+kubeVersion: ">=1.25.0-0"
annotations:
artifacthub.io/operator: "false"
artifacthub.io/prerelease: "false"
- # valid kinds are: added, changed, deprecated, removed, fixed and security
- artifacthub.io/changes: |
- - kind: added
- description: Add ability to configure autogen behavior
- - kind: fixed
- description: Support for customLabels, they were ignored up to now
- - kind: removed
- description: "Walk back change in PSS policy to send to to_upper"
- - kind: fixed
- description: Skip DELETE requests on policies using deny statements
diff --git a/helm/kyverno-policies/charts/kyverno-policies/README.md b/helm/kyverno-policies/charts/kyverno-policies/README.md
index 6a5ffeee..38a6abcd 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/README.md
+++ b/helm/kyverno-policies/charts/kyverno-policies/README.md
@@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies
-  
+  
## About
@@ -63,13 +63,14 @@ The command removes all the Kubernetes components associated with the chart and
| Key | Type | Default | Description |
|-----|------|---------|-------------|
+| policyKind | string | `"ClusterPolicy"` | Policy kind (`ClusterPolicy`, `Policy`) Set to `Policy` if you need namespaced policies and not cluster policies |
| podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. |
| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
| includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. |
| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
-| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
+| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
@@ -78,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
| nameOverride | string | `nil` | Name override. |
| customLabels | object | `{}` | Additional labels. |
| background | bool | `true` | Policies background mode |
+| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
## Source Code
@@ -86,13 +88,13 @@ The command removes all the Kubernetes components associated with the chart and
## Requirements
-Kubernetes: `>=1.16.0-0`
+Kubernetes: `>=1.25.0-0`
## Maintainers
| Name | Email | Url |
| ---- | ------ | --- |
-| Nirmata | | |
+| kyverno-maintainers | | |
## Changes
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
index 993a7c77..c93d4601 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -2,7 +2,7 @@
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -64,6 +64,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
index 894beec5..58c33e22 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-host-namespaces" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
index 8793ef3a..5585a0d8 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-host-path" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
index 67ec3b9c..cf3bd191 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-host-ports" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
index 8ad2d0c8..3f925251 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-host-process" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
index 1d65f029..10f222bf 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-privileged-containers" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
index c607738c..c9ebfb20 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-proc-mount" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
index 89d0209d..f6045308 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-selinux" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Setting the SELinux type is restricted. The fields
@@ -83,6 +86,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Setting the SELinux user or role is forbidden. The fields
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
index b58c6877..4e261d87 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@@ -1,7 +1,7 @@
{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -49,6 +49,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Specifying other AppArmor profiles is disallowed. The annotation
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
index 99dbcabc..0798a645 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@@ -1,7 +1,7 @@
{{- $name := "restrict-seccomp" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
index 7e3da6ad..f8a3f54a 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@@ -1,7 +1,7 @@
{{- $name := "restrict-sysctls" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -50,6 +50,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Setting additional sysctls above the allowed type is disallowed.
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
index 759fab90..4e0b74d1 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@@ -1,7 +1,7 @@
{{- $name := "require-non-root-groups" }}
{{- if eq (include "kyverno-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -48,6 +48,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Running with root group IDs is disallowed. The fields
@@ -92,6 +95,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field
@@ -111,6 +117,9 @@ spec:
exclude:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Containers cannot run with a root primary or supplementary GID. The field
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index 46ea01b1..ff563f15 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -2,7 +2,7 @@
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -65,6 +65,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Containers must drop `ALL` capabilities.
@@ -107,6 +110,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Any capabilities added other than NET_BIND_SERVICE are disallowed.
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
index 687a2eb4..646cb48a 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@@ -1,7 +1,7 @@
{{- $name := "disallow-privilege-escalation" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Privilege escalation is disallowed. The fields
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
index f4087735..7bb165be 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@@ -1,7 +1,7 @@
{{- $name := "require-run-as-non-root-user" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -46,6 +46,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Running as root is not allowed. The fields spec.securityContext.runAsUser,
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
index 406689f3..8b1e5895 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@@ -1,7 +1,7 @@
{{- $name := "require-run-as-nonroot" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -47,6 +47,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
index af8888fe..28482459 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@@ -1,7 +1,7 @@
{{- $name := "restrict-seccomp-strict" }}
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -49,6 +49,9 @@ spec:
preconditions:
{{- toYaml . | nindent 8 }}
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Use of custom Seccomp profiles is disallowed. The fields
diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
index f5e221c7..57aae652 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -2,7 +2,7 @@
{{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
{{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
metadata:
name: {{ $name }}
annotations:
@@ -66,6 +66,9 @@ spec:
operator: NotEquals
value: DELETE
{{- end }}
+ {{- if not (quote .Values.skipBackgroundRequests | empty) }}
+ skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+ {{- end }}
validate:
message: >-
Only the following types of volumes may be used: configMap, csi, downwardAPI,
diff --git a/helm/kyverno-policies/charts/kyverno-policies/values.yaml b/helm/kyverno-policies/charts/kyverno-policies/values.yaml
index 4fe5dc7f..ceb9dadd 100644
--- a/helm/kyverno-policies/charts/kyverno-policies/values.yaml
+++ b/helm/kyverno-policies/charts/kyverno-policies/values.yaml
@@ -1,3 +1,7 @@
+# -- Policy kind (`ClusterPolicy`, `Policy`)
+# Set to `Policy` if you need namespaced policies and not cluster policies
+policyKind: ClusterPolicy
+
# -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
# For more info https://kyverno.io/policies/pod-security.
podSecurityStandard: baseline
@@ -20,9 +24,9 @@ includeRestrictedPolicies: []
# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
failurePolicy: Fail
-# -- Validation failure action (`audit`, `enforce`).
+# -- Validation failure action (`Audit`, `Enforce`).
# For more info https://kyverno.io/docs/writing-policies/validate.
-validationFailureAction: audit
+validationFailureAction: Audit
# -- Define validationFailureActionByPolicy for specific policies.
# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
@@ -97,6 +101,9 @@ customLabels: {}
# -- Policies background mode
background: true
+# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
+skipBackgroundRequests: ~
+
# -- Kyverno version
# The default of "autodetect" will try to determine the currently installed version from the deployment
kyvernoVersion: autodetect
diff --git a/vendir.lock.yml b/vendir.lock.yml
index 4664ea3e..b3b90325 100644
--- a/vendir.lock.yml
+++ b/vendir.lock.yml
@@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
- git:
- commitTitle: release 1.10.3 (#8006)...
- sha: 8137b4b8afd7ab1464a42e717dc83f1cc471a4a1
+ commitTitle: Release v1.12.2 (#10298)...
+ sha: 36051a7af4cf6f4a1a1585a58ecbcfd6e2d62c93
tags:
- - v1.10.3
+ - v1.12.2
path: .
path: helm/kyverno-policies/charts/kyverno-policies
kind: LockConfig
diff --git a/vendir.yml b/vendir.yml
index 3fbb575b..64617ae9 100644
--- a/vendir.yml
+++ b/vendir.yml
@@ -6,7 +6,7 @@ directories:
- path: .
git:
url: https://github.com/giantswarm/kyverno
- ref: v1.10.3
+ ref: v1.12.2
includePaths:
- charts/kyverno-policies/**
newRootPath: charts/kyverno-policies