Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: kubernetes and kyverno version annotations in kyverno-policies helm chart (#1165) #11258

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: kubernetes and kyverno version annotations in kyverno-policies helm chart (#1165) #11258

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions charts/kyverno-policies/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ The command removes all the Kubernetes components associated with the chart and
| background | bool | `true` | Policies background mode |
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
| kubernetesVersion | string | `"1.28-1.31"` | Kubernetes version Against which the policy should work. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes |

## Source Code

Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ metadata:
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ metadata:
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod,Volume
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Windows pods offer the ability to run HostProcess containers which enables privileged
access to the Windows node. Privileged access to the host is disallowed in the baseline
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required. This policy
ensures nothing but the default procMount can be specified. Note that in order for users
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ metadata:
{{- end }}
policies.kyverno.io/subject: Pod, Annotation
policies.kyverno.io/minversion: 1.3.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
The default policy should prevent overriding or disabling the policy, or restrict
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
The seccomp profile must not be explicitly set to Unconfined. This policy,
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Sysctls can disable security mechanisms or affect all containers on a
host, and should be disallowed except for an allowed "safe" subset. A
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/other/require-non-root-groups.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/minversion: 1.3.6
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should be forbidden from running with a root primary or supplementary GID.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
Containers must be required to run as non-root users. This policy ensures
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ metadata:
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
{{- end }}
policies.kyverno.io/subject: Pod
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
policies.kyverno.io/description: >-
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
but additionally must also not allow an unset value. This policy,
Expand Down
4 changes: 2 additions & 2 deletions charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,8 @@ metadata:
{{- end }}
policies.kyverno.io/subject: Pod,Volume
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kubernetes-version: "1.22-1.23"
kyverno.io/kyverno-version: 1.6.0
kyverno.io/kubernetes-version: {{ .Values.kubernetesVersion }}
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
Expand Down
4 changes: 4 additions & 0 deletions charts/kyverno-policies/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,7 @@ skipBackgroundRequests: ~
# -- Kyverno version
# The default of "autodetect" will try to determine the currently installed version from the deployment
kyvernoVersion: autodetect

# -- Kubernetes version
# Against which the policy should work. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes
kubernetesVersion: "1.28-1.31"
Loading