diff --git a/helm/kyverno-policies/Chart.lock b/helm/kyverno-policies/Chart.lock index 4a5c56bf..4c319829 100644 --- a/helm/kyverno-policies/Chart.lock +++ b/helm/kyverno-policies/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kyverno-policies repository: "" - version: 3.2.3 -digest: sha256:9027dcdad2c0fa1e1e64ba6fc59b9596f43316e07cc04253dfb2c66e2d8af1fd -generated: "2024-06-15T08:01:55.708883438Z" + version: 3.3.0 +digest: sha256:ff3bdf0871a85fe5e61188e473310ecaa83948f201cbfb1b8f82da617c027766 +generated: "2024-12-15T08:02:04.448396639Z" diff --git a/helm/kyverno-policies/Chart.yaml b/helm/kyverno-policies/Chart.yaml index 2e3943eb..36c43af0 100644 --- a/helm/kyverno-policies/Chart.yaml +++ b/helm/kyverno-policies/Chart.yaml @@ -4,7 +4,7 @@ annotations: application.giantswarm.io/team: shield dependencies: - name: kyverno-policies - version: 3.2.3 + version: 3.3.0 description: | Kubernetes Pod Security Standards implemented as Kyverno policies engine: gotpl diff --git a/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml b/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml index 4f998bde..f83b18c5 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 type: application name: kyverno-policies -version: 3.2.3 -appVersion: v1.12.3 +version: 3.3.0 +appVersion: v1.13.0 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png description: Kubernetes Pod Security Standards implemented as Kyverno policies keywords: @@ -21,3 +21,8 @@ kubeVersion: ">=1.25.0-0" annotations: artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" + artifacthub.io/changes: | + - kind: removed + description: Remove spec.validationFailureAction field from policies as it is deprecated + - kind: added + description: Add spec.validate[*].failureAction field to policies diff --git a/helm/kyverno-policies/charts/kyverno-policies/README.md b/helm/kyverno-policies/charts/kyverno-policies/README.md index 9b37b06e..42d5f30e 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/README.md +++ b/helm/kyverno-policies/charts/kyverno-policies/README.md @@ -2,7 +2,7 @@ Kubernetes Pod Security Standards implemented as Kyverno policies -![Version: 3.2.3](https://img.shields.io/badge/Version-3.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.3](https://img.shields.io/badge/AppVersion-v1.12.3-informational?style=flat-square) +![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.13.0](https://img.shields.io/badge/AppVersion-v1.13.0-informational?style=flat-square) ## About @@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security. +## Deploy custom policies +If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`: +````yaml +customPolicies: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: # metadata + spec: # spec +```` + ## Installing the Chart These PSS policies presently have a minimum requirement of Kyverno 1.6.0. @@ -69,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. | | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. | | includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. | +| customPolicies | list | `[]` | Additional custom policies to include. | | failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ | | validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. | diff --git a/helm/kyverno-policies/charts/kyverno-policies/README.md.gotmpl b/helm/kyverno-policies/charts/kyverno-policies/README.md.gotmpl index 59c54691..7108cabc 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/README.md.gotmpl +++ b/helm/kyverno-policies/charts/kyverno-policies/README.md.gotmpl @@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security. +## Deploy custom policies +If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`: +````yaml +customPolicies: + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: # metadata + spec: # spec +```` + ## Installing the Chart These PSS policies presently have a minimum requirement of Kyverno 1.6.0. diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/_helpers.tpl b/helm/kyverno-policies/charts/kyverno-policies/templates/_helpers.tpl index ef0b68f2..4f73c265 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/_helpers.tpl +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/_helpers.tpl @@ -56,6 +56,15 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }} {{- end -}} {{- end -}} +{{/* Set if custom policies are managed */}} +{{- define "kyverno-policies.customPolicies" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + {{/* Get deployed Kyverno version from Kubernetes */}} {{- define "kyverno-policies.kyvernoVersion" -}} {{- $version := "" -}} diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index c93d4601..75f162ba 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -22,14 +22,6 @@ metadata: Adding capabilities beyond those listed in the policy must be disallowed. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -68,6 +60,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT) diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index 58c33e22..916e6e75 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -23,14 +23,6 @@ metadata: fields which make use of these host namespaces are unset or set to `false`. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -52,6 +44,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, spec.hostIPC, and spec.hostPID must be unset or set to `false`. diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index 5585a0d8..c1b0efdd 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -22,14 +22,6 @@ metadata: and should not be allowed. This policy ensures no hostPath volumes are in use. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -51,6 +43,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. pattern: diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index cf3bd191..20a673de 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -22,14 +22,6 @@ metadata: field is unset or set to `0`. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -51,6 +43,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index 3f925251..e33687c7 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -23,14 +23,6 @@ metadata: the `hostProcess` field, if present, is set to `false`. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -52,6 +44,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index 10f222bf..fcba8378 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -21,14 +21,6 @@ metadata: ensures Pods do not call for privileged mode. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -50,6 +42,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged and spec.initContainers[*].securityContext.privileged must be unset or set to `false`. diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index c9ebfb20..b10ee816 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -23,14 +23,6 @@ metadata: server. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -52,6 +44,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Changing the proc mount from the default is not allowed. The fields spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index f6045308..70689d7b 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -21,14 +21,6 @@ metadata: ensures that the `seLinuxOptions` field is undefined. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -50,6 +42,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Setting the SELinux type is restricted. The fields spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type, @@ -90,6 +90,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Setting the SELinux user or role is forbidden. The fields spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index 4e261d87..9bc2a7f6 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -24,14 +24,6 @@ metadata: specify any other AppArmor profiles than `runtime/default` or `localhost/*`. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -53,6 +45,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Specifying other AppArmor profiles is disallowed. The annotation `container.apparmor.security.beta.kubernetes.io` if defined diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index 0798a645..4572b210 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -23,14 +23,6 @@ metadata: labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: background: {{ .Values.background }} - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-seccomp @@ -51,6 +43,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index f8a3f54a..606313cf 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -25,14 +25,6 @@ metadata: a Pod. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -54,6 +46,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Setting additional sysctls above the allowed type is disallowed. The field spec.securityContext.sysctls must be unset or not use any other names diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/other/custom-policies.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/other/custom-policies.yaml new file mode 100644 index 00000000..be8c0441 --- /dev/null +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/other/custom-policies.yaml @@ -0,0 +1,4 @@ +{{- range .Values.customPolicies }} +--- +{{ include "kyverno-policies.customPolicies" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index 4e0b74d1..3fe2a64b 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -23,14 +23,6 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -52,6 +44,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Running with root group IDs is disallowed. The fields spec.securityContext.runAsGroup, spec.containers[*].securityContext.runAsGroup, @@ -99,6 +99,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.supplementalGroups must be unset or @@ -121,6 +129,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Containers cannot run with a root primary or supplementary GID. The field spec.securityContext.fsGroup must be unset or set to a value greater than zero. diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index ff563f15..f293db3f 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -23,14 +23,6 @@ metadata: all containers must explicitly drop `ALL` capabilities. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -69,6 +61,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Containers must drop `ALL` capabilities. foreach: @@ -114,6 +114,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Any capabilities added other than NET_BIND_SERVICE are disallowed. foreach: diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index 646cb48a..f94dca13 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -21,14 +21,6 @@ metadata: This policy ensures the `allowPrivilegeEscalation` field is set to `false`. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -50,6 +42,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Privilege escalation is disallowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index 7bb165be..32a1d22a 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -21,14 +21,6 @@ metadata: `runAsUser` is either unset or set to a number greater than zero. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -50,6 +42,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index 8b1e5895..c4f8a517 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -22,14 +22,6 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -51,6 +43,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot must be set to `true`, or the fields spec.containers[*].securityContext.runAsNonRoot, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index 28482459..eb789c58 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -24,14 +24,6 @@ metadata: using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -53,6 +45,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Use of custom Seccomp profiles is disallowed. The fields spec.securityContext.seccompProfile.type, diff --git a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index 57aae652..3e6ac31c 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -24,14 +24,6 @@ metadata: This policy blocks any other type of volume other than those in the allow list. labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: - {{- with index .Values "validationFailureActionByPolicy" $name }} - validationFailureAction: {{ toYaml . }} - {{- else }} - validationFailureAction: {{ .Values.validationFailureAction }} - {{- end }} - {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} - validationFailureActionOverrides: {{ toYaml . | nindent 4 }} - {{- end }} background: {{ .Values.background }} failurePolicy: {{ .Values.failurePolicy }} rules: @@ -70,6 +62,14 @@ spec: skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} {{- end }} validate: + {{- with index .Values "validationFailureActionByPolicy" $name }} + failureAction: {{ toYaml . }} + {{- else }} + failureAction: {{ .Values.validationFailureAction }} + {{- end }} + {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} + failureActionOverrides: {{ toYaml . | nindent 8 }} + {{- end }} message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret. diff --git a/helm/kyverno-policies/charts/kyverno-policies/values.yaml b/helm/kyverno-policies/charts/kyverno-policies/values.yaml index ceb9dadd..400ad5a1 100644 --- a/helm/kyverno-policies/charts/kyverno-policies/values.yaml +++ b/helm/kyverno-policies/charts/kyverno-policies/values.yaml @@ -20,6 +20,13 @@ includeOtherPolicies: [] includeRestrictedPolicies: [] # - require-run-as-non-root-user +# -- Additional custom policies to include. +customPolicies: [] +# - apiVersion: kyverno.io/v1 +# kind: ClusterPolicy +# metadata: # metadata +# spec: # spec + # -- API server behavior if the webhook fails to respond ('Ignore', 'Fail') # For more info: https://kyverno.io/docs/writing-policies/policy-settings/ failurePolicy: Fail diff --git a/vendir.lock.yml b/vendir.lock.yml index 557d64d0..a46b53f8 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,10 +2,10 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - git: - commitTitle: release v1.12.3 (#10351)... - sha: 46293db866d6b741c109f8eeba202b5aa4c191b6 + commitTitle: release 1.13.0 (#11477)... + sha: 978c2f3b56df37a8bea4ee649369efaea53a684b tags: - - v1.12.3 + - v1.13.0 path: . path: helm/kyverno-policies/charts/kyverno-policies kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 4022839f..a6389849 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: . git: url: https://github.com/giantswarm/kyverno - ref: v1.12.5 + ref: v1.13.0 includePaths: - charts/kyverno-policies/** newRootPath: charts/kyverno-policies