giantswarm · taylorbot · Dec 15, 2024 · Dec 15, 2024
@@ -1,6 +1,6 @@
 dependencies:
 - name: kyverno-policies
   repository: ""
-  version: 3.2.3
-digest: sha256:9027dcdad2c0fa1e1e64ba6fc59b9596f43316e07cc04253dfb2c66e2d8af1fd
-generated: "2024-06-15T08:01:55.708883438Z"
+  version: 3.3.0
+digest: sha256:ff3bdf0871a85fe5e61188e473310ecaa83948f201cbfb1b8f82da617c027766
+generated: "2024-12-15T08:02:04.448396639Z"
@@ -4,7 +4,7 @@ annotations:
   application.giantswarm.io/team: shield
 dependencies:
   - name: kyverno-policies
-    version: 3.2.3
+    version: 3.3.0
 description: |
   Kubernetes Pod Security Standards implemented as Kyverno policies
 engine: gotpl

@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno-policies
-version: 3.2.3
-appVersion: v1.12.3
+version: 3.3.0
+appVersion: v1.13.0
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
 keywords:
@@ -21,3 +21,8 @@ kubeVersion: ">=1.25.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
+  artifacthub.io/changes: |
+    - kind: removed
+      description: Remove spec.validationFailureAction field from policies as it is deprecated
+    - kind: added
+      description: Add spec.validate[*].failureAction field to policies
@@ -2,7 +2,7 @@
 
 Kubernetes Pod Security Standards implemented as Kyverno policies
 
-![Version: 3.2.3](https://img.shields.io/badge/Version-3.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.12.3](https://img.shields.io/badge/AppVersion-v1.12.3-informational?style=flat-square)
+![Version: 3.3.0](https://img.shields.io/badge/Version-3.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.13.0](https://img.shields.io/badge/AppVersion-v1.13.0-informational?style=flat-square)
 
 ## About
 
@@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a
 
 For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
 
+## Deploy custom policies
+If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
+````yaml
+customPolicies:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
 ## Installing the Chart
 
 These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
@@ -69,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
 | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
 | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
 | includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. |
+| customPolicies | list | `[]` | Additional custom policies to include. |
 | failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
 | validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
 | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |

@@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a
 
 For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
 
+## Deploy custom policies
+If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
+````yaml
+customPolicies:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
 ## Installing the Chart
 
 These PSS policies presently have a minimum requirement of Kyverno 1.6.0.

@@ -56,6 +56,15 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }}
 {{- end -}}
 {{- end -}}
 
+{{/* Set if custom policies are managed */}}
+{{- define "kyverno-policies.customPolicies" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
 {{/* Get deployed Kyverno version from Kubernetes */}}
 {{- define "kyverno-policies.kyvernoVersion" -}}
 {{- $version := "" -}}

@@ -22,14 +22,6 @@ metadata:
       Adding capabilities beyond those listed in the policy must be disallowed.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -68,6 +60,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER,
           FSETID, KILL, MKNOD, NET_BIND_SERVICE, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT)

@@ -23,14 +23,6 @@ metadata:
       fields which make use of these host namespaces are unset or set to `false`.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -52,6 +44,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
           spec.hostIPC, and spec.hostPID must be unset or set to `false`.

@@ -22,14 +22,6 @@ metadata:
       and should not be allowed. This policy ensures no hostPath volumes are in use.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -51,6 +43,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
         pattern:

@@ -22,14 +22,6 @@ metadata:
       field is unset or set to `0`.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -51,6 +43,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
           , spec.initContainers[*].ports[*].hostPort, and spec.ephemeralContainers[*].ports[*].hostPort

@@ -23,14 +23,6 @@ metadata:
       the `hostProcess` field, if present, is set to `false`.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -52,6 +44,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
           spec.containers[*].securityContext.windowsOptions.hostProcess, spec.initContainers[*].securityContext.windowsOptions.hostProcess,

@@ -21,14 +21,6 @@ metadata:
       ensures Pods do not call for privileged mode.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -50,6 +42,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
           and spec.initContainers[*].securityContext.privileged must be unset or set to `false`.

@@ -23,14 +23,6 @@ metadata:
       server.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -52,6 +44,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Changing the proc mount from the default is not allowed. The fields
           spec.containers[*].securityContext.procMount, spec.initContainers[*].securityContext.procMount,

@@ -21,14 +21,6 @@ metadata:
       ensures that the `seLinuxOptions` field is undefined.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -50,6 +42,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Setting the SELinux type is restricted. The fields
           spec.securityContext.seLinuxOptions.type, spec.containers[*].securityContext.seLinuxOptions.type,
@@ -90,6 +90,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Setting the SELinux user or role is forbidden. The fields
           spec.securityContext.seLinuxOptions.user, spec.securityContext.seLinuxOptions.role,

@@ -24,14 +24,6 @@ metadata:
       specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
   labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
-  {{- with index .Values "validationFailureActionByPolicy" $name }}
-  validationFailureAction: {{ toYaml . }}
-  {{- else }}
-  validationFailureAction: {{ .Values.validationFailureAction }}
-  {{- end }}
-  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
-  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
-  {{- end }}
   background: {{ .Values.background }}
   failurePolicy: {{ .Values.failurePolicy }}
   rules:
@@ -53,6 +45,14 @@ spec:
       skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
+        {{- with index .Values "validationFailureActionByPolicy" $name }}
+        failureAction: {{ toYaml . }}
+        {{- else }}
+        failureAction: {{ .Values.validationFailureAction }}
+        {{- end }}
+        {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
+        failureActionOverrides: {{ toYaml . | nindent 8 }}
+        {{- end }}
         message: >-
           Specifying other AppArmor profiles is disallowed. The annotation
           `container.apparmor.security.beta.kubernetes.io` if defined