From a8a5760db66539be8719d8b01706f2841c1fcfcd Mon Sep 17 00:00:00 2001 From: Mohab Yaser <93686102+Mohab96@users.noreply.github.com> Date: Tue, 18 Nov 2025 09:36:13 +0200 Subject: [PATCH 01/14] Converting ClusterPolicy to MutatingPolicy [patch 4] (#1367) * Converting ClusterPolicy to MutatingPolicy [patch 4] Signed-off-by: Mohab Yaser * updating artifacthub-pkg Signed-off-by: Mohab Yaser * fix: add permissions Signed-off-by: ShutingZhao * fixing resolve-image-to-digest Signed-off-by: Mohab Yaser * fixing label-nodes-cri Signed-off-by: Mohab Yaser * fix: adapt new .resolvedImage format Signed-off-by: ShutingZhao * chore: temp remove the CLI test Signed-off-by: ShutingZhao * chore: update hashes Signed-off-by: ShutingZhao --------- Signed-off-by: Mohab Yaser Signed-off-by: ShutingZhao Co-authored-by: ShutingZhao Signed-off-by: Brandon Metcalf --- .../.chainsaw-test/chainsaw-test.yaml | 26 +++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.chainsaw-test/sa-not-patched.yaml | 6 + .../.chainsaw-test/sa-patched.yaml | 6 + .../.chainsaw-test/sa.yaml | 5 + .../.kyverno-test/kyverno-test.yaml | 16 ++ .../.kyverno-test/patchedResource.yaml | 5 + .../.kyverno-test/resource.yaml | 9 ++ .../artifacthub-pkg.yml | 23 +++ .../disable-automountserviceaccounttoken.yaml | 29 ++++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++ .../.chainsaw-test/crb.yaml | 15 ++ .../.chainsaw-test/ns.yaml | 18 +++ .../.chainsaw-test/patched-ns01.yaml | 6 + .../.chainsaw-test/patched-ns02.yaml | 6 + .../.chainsaw-test/patched-ns03.yaml | 7 + .../.chainsaw-test/policy-ready.yaml | 18 +++ .../artifacthub-pkg.yml | 22 +++ .../label-existing-namespaces.yaml | 39 +++++ .../chainsaw-step-00-apply-1.yaml | 18 +++ .../.chainsaw-test/chainsaw-test.yaml | 46 ++++++ .../.chainsaw-test/label-check.sh | 23 +++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../label-nodes-cri/artifacthub-pkg.yml | 22 +++ .../label-nodes-cri/label-nodes-cri.yaml | 53 ++++++ .../.chainsaw-test/chainsaw-test.yaml | 30 ++++ .../.chainsaw-test/cronjob-patched.yaml | 33 ++++ .../.chainsaw-test/deploy-patched.yaml | 41 +++++ .../.chainsaw-test/pod-patched01.yaml | 11 ++ .../.chainsaw-test/pod-patched02.yaml | 18 +++ .../.chainsaw-test/pod-patched03.yaml | 29 ++++ .../.chainsaw-test/pod.yaml | 48 ++++++ .../.chainsaw-test/podcontroller.yaml | 61 +++++++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.kyverno-test/kyverno-test.yaml | 23 +++ .../.kyverno-test/patchedResource.yaml | 20 +++ .../.kyverno-test/patchedResource1.yaml | 12 ++ .../.kyverno-test/resource.yaml | 23 +++ .../mitigate-log4shell/artifacthub-pkg.yml | 22 +++ .../mitigate-log4shell.yaml | 92 +++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 38 +++++ .../.chainsaw-test/not-pod-patched04.yaml | 37 +++++ .../.chainsaw-test/not-pod-patched05.yaml | 21 +++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/pod-patched.yaml | 28 ++++ .../.chainsaw-test/pod-patched02.yaml | 29 ++++ .../.chainsaw-test/pod-patched03.yaml | 21 +++ .../.chainsaw-test/pod-patched04.yaml | 31 ++++ .../.chainsaw-test/pods.yaml | 153 ++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.kyverno-test/kyverno-test.yaml | 16 ++ .../.kyverno-test/patchedResource.yaml | 17 ++ .../.kyverno-test/resource.yaml | 30 ++++ .../artifacthub-pkg.yml | 22 +++ .../remove-hostpath-volumes.yaml | 92 +++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 30 ++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/pod-patched.yaml | 11 ++ .../.chainsaw-test/pod-patched02.yaml | 16 ++ .../.chainsaw-test/pod-patched03.yaml | 16 ++ .../.chainsaw-test/pods.yaml | 45 ++++++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.kyverno-test/kyverno-test.yaml | 23 +++ .../.kyverno-test/patchedResource1.yaml | 9 ++ .../.kyverno-test/patchedResource3.yaml | 16 ++ .../.kyverno-test/resource.yaml | 41 +++++ .../artifacthub-pkg.yml | 22 +++ .../replace-image-registry.yaml | 67 ++++++++ .../.chainsaw-test/README.md | 11 ++ .../.chainsaw-test/chainsaw-test.yaml | 22 +++ .../.chainsaw-test/kuttlresource.yaml | 37 +++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.chainsaw-test/resource-mutated.yaml | 37 +++++ .../replace-ingress-hosts/artifacthub-pkg.yml | 22 +++ .../replace-ingress-hosts.yaml | 82 ++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 24 +++ .../.chainsaw-test/podcontroller-patched.yaml | 39 +++++ .../.chainsaw-test/podcontroller.yaml | 39 +++++ .../.chainsaw-test/pods-patched.yaml | 19 +++ .../.chainsaw-test/pods.yaml | 19 +++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../artifacthub-pkg.yml | 22 +++ .../resolve-image-to-digest.yaml | 116 +++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 26 +++ .../.chainsaw-test/deploy.yaml | 68 ++++++++ .../.chainsaw-test/deploy01-patched.yaml | 27 ++++ .../.chainsaw-test/deploy02-not-patched.yaml | 26 +++ .../.chainsaw-test/deploy03-not-patched.yaml | 27 ++++ .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.kyverno-test/kyverno-test.yaml | 16 ++ .../.kyverno-test/patchedResource.yaml | 28 ++++ .../.kyverno-test/resource.yaml | 21 +++ .../artifacthub-pkg.yml | 21 +++ .../spread-pods-across-topology.yaml | 51 ++++++ .../chainsaw-step-01-apply-1.yaml | 25 +++ .../.chainsaw-test/chainsaw-test.yaml | 46 ++++++ .../.chainsaw-test/cluster-role.yaml | 15 ++ .../.chainsaw-test/deploy.yaml | 95 +++++++++++ .../deploy00-patched-again.yaml | 25 +++ .../.chainsaw-test/deploy00-patched.yaml | 25 +++ .../deploy01-patched-again.yaml | 25 +++ .../.chainsaw-test/deploy01-patched.yaml | 25 +++ .../deploy02-patched-again.yaml | 25 +++ .../.chainsaw-test/deploy02-patched.yaml | 25 +++ .../.chainsaw-test/deploy03-not-patched.yaml | 22 +++ .../.chainsaw-test/deploy04-not-patched.yaml | 20 +++ .../update-image-tag/.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/policy-ready.yaml | 18 +++ .../.chainsaw-test/policy-update.yaml | 27 ++++ .../update-image-tag/artifacthub-pkg.yml | 22 +++ .../update-image-tag/update-image-tag.yaml | 57 +++++++ 113 files changed, 3211 insertions(+) create mode 100755 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/ns.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-not-patched.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-patched.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.kyverno-test/kyverno-test.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.kyverno-test/patchedResource.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/.kyverno-test/resource.yaml create mode 100644 other-mpol/disable-automountserviceaccounttoken/artifacthub-pkg.yml create mode 100644 other-mpol/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml create mode 100755 other-mpol/label-existing-namespaces/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/crb.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/ns.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns01.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns02.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns03.yaml create mode 100644 other-mpol/label-existing-namespaces/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/label-existing-namespaces/artifacthub-pkg.yml create mode 100644 other-mpol/label-existing-namespaces/label-existing-namespaces.yaml create mode 100755 other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml create mode 100755 other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml create mode 100755 other-mpol/label-nodes-cri/.chainsaw-test/label-check.sh create mode 100644 other-mpol/label-nodes-cri/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/label-nodes-cri/artifacthub-pkg.yml create mode 100644 other-mpol/label-nodes-cri/label-nodes-cri.yaml create mode 100755 other-mpol/mitigate-log4shell/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/pod.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/podcontroller.yaml create mode 100644 other-mpol/mitigate-log4shell/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/mitigate-log4shell/.kyverno-test/kyverno-test.yaml create mode 100644 other-mpol/mitigate-log4shell/.kyverno-test/patchedResource.yaml create mode 100644 other-mpol/mitigate-log4shell/.kyverno-test/patchedResource1.yaml create mode 100644 other-mpol/mitigate-log4shell/.kyverno-test/resource.yaml create mode 100644 other-mpol/mitigate-log4shell/artifacthub-pkg.yml create mode 100644 other-mpol/mitigate-log4shell/mitigate-log4shell.yaml create mode 100755 other-mpol/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/ns.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/pods.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.kyverno-test/kyverno-test.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.kyverno-test/patchedResource.yaml create mode 100644 other-mpol/remove-hostpath-volumes/.kyverno-test/resource.yaml create mode 100644 other-mpol/remove-hostpath-volumes/artifacthub-pkg.yml create mode 100644 other-mpol/remove-hostpath-volumes/remove-hostpath-volumes.yaml create mode 100755 other-mpol/replace-image-registry/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/ns.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/pod-patched.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/pod-patched02.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/pod-patched03.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/pods.yaml create mode 100644 other-mpol/replace-image-registry/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/replace-image-registry/.kyverno-test/kyverno-test.yaml create mode 100644 other-mpol/replace-image-registry/.kyverno-test/patchedResource1.yaml create mode 100644 other-mpol/replace-image-registry/.kyverno-test/patchedResource3.yaml create mode 100644 other-mpol/replace-image-registry/.kyverno-test/resource.yaml create mode 100644 other-mpol/replace-image-registry/artifacthub-pkg.yml create mode 100644 other-mpol/replace-image-registry/replace-image-registry.yaml create mode 100644 other-mpol/replace-ingress-hosts/.chainsaw-test/README.md create mode 100755 other-mpol/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/replace-ingress-hosts/.chainsaw-test/kuttlresource.yaml create mode 100644 other-mpol/replace-ingress-hosts/.chainsaw-test/ns.yaml create mode 100644 other-mpol/replace-ingress-hosts/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/replace-ingress-hosts/.chainsaw-test/resource-mutated.yaml create mode 100644 other-mpol/replace-ingress-hosts/artifacthub-pkg.yml create mode 100644 other-mpol/replace-ingress-hosts/replace-ingress-hosts.yaml create mode 100755 other-mpol/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml create mode 100644 other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml create mode 100644 other-mpol/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml create mode 100644 other-mpol/resolve-image-to-digest/.chainsaw-test/pods.yaml create mode 100644 other-mpol/resolve-image-to-digest/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/resolve-image-to-digest/artifacthub-pkg.yml create mode 100644 other-mpol/resolve-image-to-digest/resolve-image-to-digest.yaml create mode 100755 other-mpol/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/spread-pods-across-topology/.chainsaw-test/deploy.yaml create mode 100644 other-mpol/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml create mode 100644 other-mpol/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml create mode 100644 other-mpol/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml create mode 100644 other-mpol/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/spread-pods-across-topology/.kyverno-test/kyverno-test.yaml create mode 100644 other-mpol/spread-pods-across-topology/.kyverno-test/patchedResource.yaml create mode 100644 other-mpol/spread-pods-across-topology/.kyverno-test/resource.yaml create mode 100644 other-mpol/spread-pods-across-topology/artifacthub-pkg.yml create mode 100644 other-mpol/spread-pods-across-topology/spread-pods-across-topology.yaml create mode 100755 other-mpol/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml create mode 100755 other-mpol/update-image-tag/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/cluster-role.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy00-patched.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy01-patched.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy02-patched.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy03-not-patched.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/deploy04-not-patched.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/ns.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/policy-ready.yaml create mode 100644 other-mpol/update-image-tag/.chainsaw-test/policy-update.yaml create mode 100644 other-mpol/update-image-tag/artifacthub-pkg.yml create mode 100644 other-mpol/update-image-tag/update-image-tag.yaml diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..60c5ffcf3 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: disable-automountserviceaccounttoken +spec: + steps: + - name: step-01 + try: + - apply: + file: ../disable-automountserviceaccounttoken.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: sa.yaml + - name: step-03 + try: + - assert: + file: sa-patched.yaml + - error: + file: sa-not-patched.yaml diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/ns.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..d727f1643 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: disable-satokenmount-ns \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..9931bda05 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: disable-automountserviceaccounttoken +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-not-patched.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-not-patched.yaml new file mode 100644 index 000000000..b73081610 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-not-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-patched.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-patched.yaml new file mode 100644 index 000000000..b5a0417b0 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa-patched.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: default + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa.yaml b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa.yaml new file mode 100644 index 000000000..0acdf02a4 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.chainsaw-test/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: foo-sa + namespace: disable-satokenmount-ns \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/kyverno-test.yaml b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c0b8aadcb --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: disable-automountserviceaccounttoken +policies: +- ../disable-automountserviceaccounttoken.yaml +resources: +- resource.yaml +results: +- kind: ServiceAccount + patchedResources: patchedResource.yaml + policy: disable-automountserviceaccounttoken + resources: + - default + result: pass + isMutatingPolicy: true diff --git a/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/patchedResource.yaml b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/patchedResource.yaml new file mode 100644 index 000000000..7176ccb99 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/patchedResource.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default +automountServiceAccountToken: false \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/resource.yaml b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/resource.yaml new file mode 100644 index 000000000..bea0184c4 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/.kyverno-test/resource.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: demo-sa \ No newline at end of file diff --git a/other-mpol/disable-automountserviceaccounttoken/artifacthub-pkg.yml b/other-mpol/disable-automountserviceaccounttoken/artifacthub-pkg.yml new file mode 100644 index 000000000..622acc358 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: disable-automountserviceaccounttoken +version: 1.0.0 +displayName: Disable automountServiceAccountToken +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + A new ServiceAccount called `default` is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml + ``` +keywords: + - kyverno + - Other + - EKS Best Practices +readme: | + A new ServiceAccount called `default` is created whenever a new Namespace is created. Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token into Pods obviating the need to do so individually. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other, EKS Best Practices" + kyverno/kubernetesVersion: "1.21" + kyverno/subject: "ServiceAccount" +digest: b5b5288d761727769ef634826a6239592e0c328d87b9ef841d2abeff9579a92e diff --git a/other-mpol/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml b/other-mpol/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml new file mode 100644 index 000000000..7742ec5e4 --- /dev/null +++ b/other-mpol/disable-automountserviceaccounttoken/disable-automountserviceaccounttoken.yaml @@ -0,0 +1,29 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: disable-automountserviceaccounttoken + annotations: + policies.kyverno.io/title: Disable automountServiceAccountToken + policies.kyverno.io/category: Other, EKS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: ServiceAccount + policies.kyverno.io/description: >- + A new ServiceAccount called `default` is created whenever a new Namespace is created. + Pods spawned in that Namespace, unless otherwise set, will be assigned this ServiceAccount. + This policy mutates any new `default` ServiceAccounts to disable auto-mounting of the token + into Pods obviating the need to do so individually. +spec: + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["serviceaccounts"] + resourceNames: ["default"] + mutations: + - patchType: ApplyConfiguration + applyConfiguration: + expression: | + Object{ + automountServiceAccountToken: false + } \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/chainsaw-test.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..5bc5d3f2c --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: label-existing-namespaces +spec: + steps: + - name: step-01 + try: + - apply: + file: crb.yaml + - apply: + file: ns.yaml + - assert: + file: ns.yaml + - name: step-02 + try: + - apply: + file: ../label-existing-namespaces.yaml + - assert: + file: policy-ready.yaml + - patch: + resource: + apiVersion: v1 + kind: Namespace + metadata: + name: label-namespace01 + annotations: + trigger: "true" + - sleep: + duration: 15s + - assert: + file: patched-ns01.yaml + - assert: + file: patched-ns02.yaml + - assert: + file: patched-ns03.yaml \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/crb.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/crb.yaml new file mode 100644 index 000000000..f2790528e --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/crb.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:label-ns + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - update \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/ns.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..7173f5fa7 --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/ns.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: label-namespace01 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + mykey: foo + name: label-namespace02 +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: bar + name: label-namespace03 \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns01.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns01.yaml new file mode 100644 index 000000000..03c3244df --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns01.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + mykey: myvalue + name: label-namespace01 \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns02.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns02.yaml new file mode 100644 index 000000000..ee32c2f3a --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns02.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + mykey: myvalue + name: label-namespace02 \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns03.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns03.yaml new file mode 100644 index 000000000..00516b767 --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/patched-ns03.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + foo: bar + mykey: myvalue + name: label-namespace03 \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/.chainsaw-test/policy-ready.yaml b/other-mpol/label-existing-namespaces/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..085350b42 --- /dev/null +++ b/other-mpol/label-existing-namespaces/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: label-existing-namespaces +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/label-existing-namespaces/artifacthub-pkg.yml b/other-mpol/label-existing-namespaces/artifacthub-pkg.yml new file mode 100644 index 000000000..f2b61c8c1 --- /dev/null +++ b/other-mpol/label-existing-namespaces/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: label-existing-namespaces +version: 1.0.0 +displayName: Label Existing Namespaces +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + Namespaces which preexist may need to be labeled after the fact and it is time consuming to identify which ones should be labeled and either doing so manually or with a scripted approach. This policy, which triggers on any AdmissionReview request to any Namespace, will result in applying the label `mykey=myvalue` to all existing Namespaces. If this policy is updated to change the desired label key or value, it will cause another mutation which updates all Namespaces. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/label-existing-namespaces/label-existing-namespaces.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Namespaces which preexist may need to be labeled after the fact and it is time consuming to identify which ones should be labeled and either doing so manually or with a scripted approach. This policy, which triggers on any AdmissionReview request to any Namespace, will result in applying the label `mykey=myvalue` to all existing Namespaces. If this policy is updated to change the desired label key or value, it will cause another mutation which updates all Namespaces. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Namespace" +digest: 67e0d2cbf3ea0f64e06c48c506387d554b84c3be1a21a495a1fdd374c9230ac6 diff --git a/other-mpol/label-existing-namespaces/label-existing-namespaces.yaml b/other-mpol/label-existing-namespaces/label-existing-namespaces.yaml new file mode 100644 index 000000000..bba68eb5c --- /dev/null +++ b/other-mpol/label-existing-namespaces/label-existing-namespaces.yaml @@ -0,0 +1,39 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: label-existing-namespaces + annotations: + policies.kyverno.io/title: Label Existing Namespaces + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace + policies.kyverno.io/description: >- + Namespaces which preexist may need to be labeled after the fact and it is + time consuming to identify which ones should be labeled and either doing so manually + or with a scripted approach. This policy, which triggers on any AdmissionReview request + to any Namespace, will result in applying the label `mykey=myvalue` to all existing + Namespaces. If this policy is updated to change the desired label key or value, it will + cause another mutation which updates all Namespaces. +spec: + evaluation: + admission: + enabled: true + mutateExisting: + enabled: true + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["namespaces"] + mutations: + - patchType: ApplyConfiguration + applyConfiguration: + expression: | + Object{ + metadata: Object.metadata{ + labels: { + "mykey": "myvalue" + } + } + } \ No newline at end of file diff --git a/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml b/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml new file mode 100755 index 000000000..6f7c577b1 --- /dev/null +++ b/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-step-00-apply-1.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.kyverno.io/aggregate-to-reports-controller: "true" + rbac.kyverno.io/aggregate-to-background-controller: "true" + name: kyverno:background-controller:label-nodes-cri +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - patch diff --git a/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml b/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ff14c661a --- /dev/null +++ b/other-mpol/label-nodes-cri/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,46 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: label-nodes-cri +spec: + steps: + - name: step-00 + try: + - apply: + file: chainsaw-step-00-apply-1.yaml + - name: step-01 + try: + - script: + content: | + kubectl get configmap kyverno -n kyverno -o yaml | sed 's/\[Node\/\*,\*,\*\]//g' | sed 's/\[Node,\*,\*\]//g' | kubectl apply -f - + - sleep: + duration: 3s + - name: step-02 + try: + - apply: + file: ../label-nodes-cri.yaml + - assert: + file: policy-ready.yaml + - name: step-02-trigger + try: + - script: + content: | + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) + kubectl annotate node $node kyverno-test=trigger --overwrite + - name: step-03 + try: + - sleep: + duration: 5s + - script: + content: ./label-check.sh + - name: step-04 + try: + - script: + content: | + kubectl get configmap -n kyverno kyverno -o yaml | sed 's/\[APIService,\*,\*\]/\[Node,\*,\*\] \[Node\/\*,\*,\*\] \[APIService,\*,\*\]/g' | kubectl apply -f - + - script: + content: | + node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1); + kubectl label --overwrite nodes $node runtime- \ No newline at end of file diff --git a/other-mpol/label-nodes-cri/.chainsaw-test/label-check.sh b/other-mpol/label-nodes-cri/.chainsaw-test/label-check.sh new file mode 100755 index 000000000..ec6bc6231 --- /dev/null +++ b/other-mpol/label-nodes-cri/.chainsaw-test/label-check.sh @@ -0,0 +1,23 @@ +#!/bin/bash +node=$(kubectl get nodes --no-headers | awk '{print $1}' | head -n 1) +containerd=$(kubectl get node "$node" -o json | kyverno jp query "pattern_match('containerd*', status.nodeInfo.containerRuntimeVersion)" | tail -n 1) +docker=$(kubectl get node "$node" -o json | kyverno jp query "pattern_match('docker*', status.nodeInfo.containerRuntimeVersion)" | tail -n 1) +if [ "$containerd" = "true" ]; then + check=$(kubectl get node "$node" -o json | kyverno jp query "metadata.labels.runtime=='containerd'" | tail -n 1); + if [ "$check" = "true" ]; then + echo "Success: node $node labelled runtime: containerd"; + exit 0; + else + echo "Failed to label node $node runtime: containerd"; + exit 1; + fi; +elif [ "$docker" = "true" ]; then + check=$(kubectl get node "$node" -o json | kyverno jp query "metadata.labels.runtime=='docker'" | tail -n 1); + if [ "$check" = "true" ]; then + echo "Success: node $node labelled runtime: docker"; + exit 0; + else + echo "Failed to label node $node runtime: docker"; + exit 1; + fi; +fi \ No newline at end of file diff --git a/other-mpol/label-nodes-cri/.chainsaw-test/policy-ready.yaml b/other-mpol/label-nodes-cri/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..c173402c3 --- /dev/null +++ b/other-mpol/label-nodes-cri/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: label-nodes-cri +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/label-nodes-cri/artifacthub-pkg.yml b/other-mpol/label-nodes-cri/artifacthub-pkg.yml new file mode 100644 index 000000000..1fbbbf4ab --- /dev/null +++ b/other-mpol/label-nodes-cri/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: label-nodes-cri +version: 1.0.0 +displayName: Label Nodes with CRI Runtime +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + CRI engines log in different formats. Loggers deployed as DaemonSets don't know which format to apply because they can't see this information. By Kyverno writing a label to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission to update Nodes. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/label-nodes-cri/label-nodes-cri.yaml + ``` +keywords: + - kyverno + - other +readme: | + CRI engines log in different formats. Loggers deployed as DaemonSets don't know which format to apply because they can't see this information. By Kyverno writing a label to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. The Node resource filter should be removed and users may need to grant the Kyverno ServiceAccount permission to update Nodes. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Node, Label" +digest: 0f7032f03cd968d37ef1525c52574f77f4278477023de26537f86855311b45b6 diff --git a/other-mpol/label-nodes-cri/label-nodes-cri.yaml b/other-mpol/label-nodes-cri/label-nodes-cri.yaml new file mode 100644 index 000000000..dff455b91 --- /dev/null +++ b/other-mpol/label-nodes-cri/label-nodes-cri.yaml @@ -0,0 +1,53 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: label-nodes-cri + annotations: + policies.kyverno.io/title: Label Nodes with CRI Runtime + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Node, Label + policies.kyverno.io/description: >- + CRI engines log in different formats. Loggers deployed as DaemonSets don't know + which format to apply because they can't see this information. By Kyverno writing a label + to each node with its runtime, loggers can use node label selectors to know which parsing logic to use. + This policy detects the CRI engine in use and writes a label to the Node called `runtime` with it. + Users may need to grant the Kyverno ServiceAccount permission to update Nodes. +spec: + evaluation: + admission: + enabled: true + mutateExisting: + enabled: true + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["nodes"] + mutations: + - patchType: ApplyConfiguration + applyConfiguration: + expression: | + has(object.status.nodeInfo.containerRuntimeVersion) && + object.status.nodeInfo.containerRuntimeVersion.startsWith("containerd") ? + Object{ + metadata: Object.metadata{ + labels: { + "runtime": "containerd" + } + } + } : Object{} + + - patchType: ApplyConfiguration + applyConfiguration: + expression: | + has(object.status.nodeInfo.containerRuntimeVersion) && + object.status.nodeInfo.containerRuntimeVersion.startsWith("docker") ? + Object{ + metadata: Object.metadata{ + labels: { + "runtime": "docker" + } + } + } : Object{} \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/chainsaw-test.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..7fce80954 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: mitigate-log4shell +spec: + steps: + - name: step-01 + try: + - apply: + file: ../mitigate-log4shell.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pod.yaml + - apply: + file: podcontroller.yaml + - assert: + file: pod-patched01.yaml + - assert: + file: pod-patched02.yaml + - assert: + file: pod-patched03.yaml + - assert: + file: deploy-patched.yaml + - assert: + file: cronjob-patched.yaml diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml new file mode 100644 index 000000000..41b4fda4b --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/cronjob-patched.yaml @@ -0,0 +1,33 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: cronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml new file mode 100644 index 000000000..170a01625 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/deploy-patched.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml new file mode 100644 index 000000000..a06db0ae5 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched01.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml new file mode 100644 index 000000000..acb2e1752 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched02.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml new file mode 100644 index 000000000..4f2584f71 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/pod-patched03.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod03 +spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/pod.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/pod.yaml new file mode 100644 index 000000000..a38dc06d7 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/pod.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod03 +spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/podcontroller.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/podcontroller.yaml new file mode 100644 index 000000000..3bee10f48 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/podcontroller.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: foo + value: bar +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: cronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: busybox-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02-init + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "false" + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.chainsaw-test/policy-ready.yaml b/other-mpol/mitigate-log4shell/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..7a54f0c80 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: log4shell-mitigation +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.kyverno-test/kyverno-test.yaml b/other-mpol/mitigate-log4shell/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..c4dbab59f --- /dev/null +++ b/other-mpol/mitigate-log4shell/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: log4shell-mitigation +policies: +- ../mitigate-log4shell.yaml +resources: +- resource.yaml +results: +- kind: Pod + patchedResources: patchedResource.yaml + policy: log4shell-mitigation + resources: + - demo-pod01 + result: pass + isMutatingPolicy: true +- kind: Pod + patchedResources: patchedResource1.yaml + policy: log4shell-mitigation + resources: + - demo-pod02 + result: pass + isMutatingPolicy: true diff --git a/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource.yaml b/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource.yaml new file mode 100644 index 000000000..173d77f12 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: demo-pod01 +spec: + initContainers: + - name: initbusybox + image: busybox:1.28 + command: ["sleep", "9999"] + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + containers: + - name: busybox + image: busybox:1.28 + command: ["sleep", "9999"] + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource1.yaml b/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource1.yaml new file mode 100644 index 000000000..ceb0c29c1 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.kyverno-test/patchedResource1.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: demo-pod02 +spec: + containers: + - name: busybox + image: busybox:1.28 + command: ["sleep", "9999"] + env: + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" \ No newline at end of file diff --git a/other-mpol/mitigate-log4shell/.kyverno-test/resource.yaml b/other-mpol/mitigate-log4shell/.kyverno-test/resource.yaml new file mode 100644 index 000000000..99de9b543 --- /dev/null +++ b/other-mpol/mitigate-log4shell/.kyverno-test/resource.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: demo-pod01 +spec: + initContainers: + - name: initbusybox + image: busybox:1.28 + command: ["sleep", "9999"] + containers: + - name: busybox + image: busybox:1.28 + command: ["sleep", "9999"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: demo-pod02 +spec: + containers: + - name: busybox + image: busybox:1.28 + command: ["sleep", "9999"] diff --git a/other-mpol/mitigate-log4shell/artifacthub-pkg.yml b/other-mpol/mitigate-log4shell/artifacthub-pkg.yml new file mode 100644 index 000000000..d601bae8f --- /dev/null +++ b/other-mpol/mitigate-log4shell/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: mitigate-log4shell +version: 1.0.0 +displayName: Log4Shell Mitigation +createdAt: "2023-04-10T20:30:04.000Z" +description: >- + In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some benefit by limiting exposure, there are still code paths which can exploit this vulnerability. It is highly recommended to upgrade log4j as soon as possible. See https://logging.apache.org/log4j/2.x/security.html for more details. This policy will mutate all initContainers and containers in an incoming Pod to add this environment variable automatically. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/mitigate-log4shell/mitigate-log4shell.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + In response to CVE-2021-44228 referred to as Log4Shell, a RCE vulnerability in the Log4j library, a partial yet incomplete workaround for versions 2.10 to 2.14.1 of the library is to set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to "true". While this does provide some benefit by limiting exposure, there are still code paths which can exploit this vulnerability. It is highly recommended to upgrade log4j as soon as possible. See https://logging.apache.org/log4j/2.x/security.html for more details. This policy will mutate all initContainers and containers in an incoming Pod to add this environment variable automatically. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: b3b4d783c4460b064cacf6c32dcd5ec8c495db2c2955ef7bdcb1d2ae59ee0d1b diff --git a/other-mpol/mitigate-log4shell/mitigate-log4shell.yaml b/other-mpol/mitigate-log4shell/mitigate-log4shell.yaml new file mode 100644 index 000000000..3b102b064 --- /dev/null +++ b/other-mpol/mitigate-log4shell/mitigate-log4shell.yaml @@ -0,0 +1,92 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: log4shell-mitigation + annotations: + policies.kyverno.io/title: Log4Shell Mitigation + policies.kyverno.io/subject: Pod + policies.kyverno.io/category: Sample + policies.kyverno.io/description: >- + In response to CVE-2021-44228 referred to as Log4Shell, this policy + automatically adds LOG4J_FORMAT_MSG_NO_LOOKUPS=true to all containers + and initContainers in Pods and pod controllers as a partial mitigation measure. +spec: + evaluation: + admission: + enabled: true + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["deployments", "daemonsets", "statefulsets"] + - apiGroups: ["batch"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["jobs", "cronjobs"] + variables: + - name: isPod + expression: object.kind == "Pod" + - name: isCronJob + expression: object.kind == "CronJob" + - name: isPodController + expression: has(object.spec.template.spec) + - name: podSpec + expression: | + variables.isPod ? object.spec : + variables.isCronJob ? object.spec.jobTemplate.spec.template.spec : + variables.isPodController ? object.spec.template.spec : + {} + - name: specPath + expression: | + variables.isPod ? "/spec" : + variables.isCronJob ? "/spec/jobTemplate/spec/template/spec" : + "/spec/template/spec" + mutations: + - patchType: JSONPatch + jsonPatch: + expression: | + variables.podSpec.containers.map(c, + has(c.env) && c.env.exists(e, e.name == "LOG4J_FORMAT_MSG_NO_LOOKUPS") ? + JSONPatch{ + op: "replace", + path: variables.specPath + "/containers/" + string(variables.podSpec.containers.indexOf(c)) + "/env/" + string(c.env.map(e, e.name).indexOf("LOG4J_FORMAT_MSG_NO_LOOKUPS")), + value: {"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"} + } : + has(c.env) ? + JSONPatch{ + op: "add", + path: variables.specPath + "/containers/" + string(variables.podSpec.containers.indexOf(c)) + "/env/-", + value: {"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"} + } : + JSONPatch{ + op: "add", + path: variables.specPath + "/containers/" + string(variables.podSpec.containers.indexOf(c)) + "/env", + value: [{"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"}] + } + ) + + (has(variables.podSpec.initContainers) ? + variables.podSpec.initContainers.map(c, + has(c.env) && c.env.exists(e, e.name == "LOG4J_FORMAT_MSG_NO_LOOKUPS") ? + JSONPatch{ + op: "replace", + path: variables.specPath + "/initContainers/" + string(variables.podSpec.initContainers.indexOf(c)) + "/env/" + string(c.env.map(e, e.name).indexOf("LOG4J_FORMAT_MSG_NO_LOOKUPS")), + value: {"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"} + } : + has(c.env) ? + JSONPatch{ + op: "add", + path: variables.specPath + "/initContainers/" + string(variables.podSpec.initContainers.indexOf(c)) + "/env/-", + value: {"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"} + } : + JSONPatch{ + op: "add", + path: variables.specPath + "/initContainers/" + string(variables.podSpec.initContainers.indexOf(c)) + "/env", + value: [{"name": "LOG4J_FORMAT_MSG_NO_LOOKUPS", "value": "true"}] + } + ) : [] + ) \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..b492c3746 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: remove-hostpath-volumes +spec: + steps: + - name: step-01 + try: + - apply: + file: ../remove-hostpath-volumes.yaml + - apply: + file: ns.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods.yaml + - name: step-03 + try: + - assert: + file: pod-patched.yaml + - assert: + file: pod-patched02.yaml + - assert: + file: pod-patched03.yaml + - assert: + file: pod-patched04.yaml + - error: + file: not-pod-patched04.yaml + - error: + file: not-pod-patched05.yaml + - name: step-04 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n remove-hostpathvols-ns diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml new file mode 100644 index 000000000..e18da3573 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched04.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod04 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: config-vol + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: foo + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: foo + hostPath: + path: /data/junk + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml new file mode 100644 index 000000000..e182bbc32 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/not-pod-patched05.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod05 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: foo + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumes: + - name: foo + hostPath: + path: /data/junk \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/ns.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..c41e674bb --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: remove-hostpathvols-ns \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml new file mode 100644 index 000000000..0831ab7ee --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml new file mode 100644 index 000000000..2d69f1266 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched02.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: config-vol + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml new file mode 100644 index 000000000..8a48b8687 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched03.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod03 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml new file mode 100644 index 000000000..b520b7761 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pod-patched04.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod04 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: config-vol + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/pods.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..b8a610b58 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/pods.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /test-pd + name: foo + - mountPath: /foo + name: empty + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + - mountPath: /test-pd + name: bar + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: foo + hostPath: + path: /data + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: bar + hostPath: + path: /data/junk +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: config-vol + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: foo + hostPath: + path: /data/junk + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod03 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod04 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: config-vol + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: foo + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: empty + volumes: + - name: empty + emptyDir: + medium: memory + sizeLimit: 20Mi + - name: foo + hostPath: + path: /data/junk + - name: config-vol + configMap: + name: foo + items: + - key: foo + path: bar +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod05 + namespace: remove-hostpathvols-ns +spec: + automountServiceAccountToken: false + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + volumeMounts: + - mountPath: /foo + name: foo + - name: busybox03 + image: ghcr.io/kyverno/test-busybox:1.35 + volumes: + - name: foo + hostPath: + path: /data/junk \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.chainsaw-test/policy-ready.yaml b/other-mpol/remove-hostpath-volumes/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..df8b52578 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: remove-hostpath-volumes +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.kyverno-test/kyverno-test.yaml b/other-mpol/remove-hostpath-volumes/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..25cbe7b59 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: remove-hostpath-volumes +policies: +- ../remove-hostpath-volumes.yaml +resources: +- resource.yaml +results: +- kind: Pod + patchedResources: patchedResource.yaml + policy: remove-hostpath-volumes + resources: + - busybox + result: pass + isMutatingPolicy: true diff --git a/other-mpol/remove-hostpath-volumes/.kyverno-test/patchedResource.yaml b/other-mpol/remove-hostpath-volumes/.kyverno-test/patchedResource.yaml new file mode 100644 index 000000000..e0006b39d --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.kyverno-test/patchedResource.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /bar + name: vault-secret + - name: nginx + image: busybox:1.35 + volumes: + - name: vault-secret + emptyDir: + medium: Memory \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/.kyverno-test/resource.yaml b/other-mpol/remove-hostpath-volumes/.kyverno-test/resource.yaml new file mode 100644 index 000000000..90deb5bec --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/.kyverno-test/resource.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox +spec: + containers: + - name: busybox + image: busybox:1.35 + volumeMounts: + - mountPath: /foo + name: socket + - mountPath: /bar + name: vault-secret + - mountPath: /baz + name: bar + - name: nginx + image: busybox:1.35 + volumeMounts: + - mountPath: /foo + name: socket + volumes: + - name: socket + hostPath: + path: "/var/run/foo" + - name: vault-secret + emptyDir: + medium: Memory + - name: bar + hostPath: + path: "/var/run/bar" \ No newline at end of file diff --git a/other-mpol/remove-hostpath-volumes/artifacthub-pkg.yml b/other-mpol/remove-hostpath-volumes/artifacthub-pkg.yml new file mode 100644 index 000000000..546390997 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: remove-hostpath-volumes +version: 1.0.0 +displayName: Remove hostPath Volumes +createdAt: "2023-05-06T00:30:05.000Z" +description: >- + Pods which mount hostPath volumes are provided access to the underlying filesystem of the Node on which they run. In most scenarios, this should be forbidden. In others, it may be useful to silently remove those hostPath volumes rather than blocking the Pod. This policy removes all hostPath volumes and their volumeMount references from all containers within a Pod. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/remove-hostpath-volumes/remove-hostpath-volumes.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Pods which mount hostPath volumes are provided access to the underlying filesystem of the Node on which they run. In most scenarios, this should be forbidden. In others, it may be useful to silently remove those hostPath volumes rather than blocking the Pod. This policy removes all hostPath volumes and their volumeMount references from all containers within a Pod. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.25" + kyverno/subject: "Pod,Volume" +digest: 9f648bb5ea45a2342e7e93f06f655968bb8b7292b16e1839821f99697e3493fe diff --git a/other-mpol/remove-hostpath-volumes/remove-hostpath-volumes.yaml b/other-mpol/remove-hostpath-volumes/remove-hostpath-volumes.yaml new file mode 100644 index 000000000..2fe9d6d29 --- /dev/null +++ b/other-mpol/remove-hostpath-volumes/remove-hostpath-volumes.yaml @@ -0,0 +1,92 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: remove-hostpath-volumes + annotations: + policies.kyverno.io/title: Remove hostPath Volumes + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod,Volume + policies.kyverno.io/description: >- + Pods which mount hostPath volumes are provided access to the underlying filesystem + of the Node on which they run. In most scenarios, this should be forbidden. In others, + it may be useful to silently remove those hostPath volumes rather than blocking the Pod. + This policy removes all hostPath volumes and their volumeMount references from all containers + within a Pod. +spec: + evaluation: + admission: + enabled: true + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + variables: + - name: hostpathVolumes + expression: | + has(object.spec.volumes) ? + object.spec.volumes.filter(v, has(v.hostPath)).map(v, v.name) : + [] + - name: hasHostPath + expression: | + variables.hostpathVolumes.size() > 0 + matchConditions: + - name: has-hostpath-volumes + expression: variables.hasHostPath + mutations: + - patchType: JSONPatch + jsonPatch: + expression: | + [ + JSONPatch{ + op: "replace", + path: "/spec/volumes", + value: object.spec.volumes.filter(v, !has(v.hostPath)) + } + ] + + object.spec.containers.map(c, + has(c.volumeMounts) ? + (c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)).size() > 0 ? + JSONPatch{ + op: "replace", + path: "/spec/containers/" + string(object.spec.containers.indexOf(c)) + "/volumeMounts", + value: c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)) + } : + JSONPatch{ + op: "remove", + path: "/spec/containers/" + string(object.spec.containers.indexOf(c)) + "/volumeMounts" + }) + : JSONPatch{op: "test", path: "/", value: null} + ).filter(p, p.op != "test") + + (has(object.spec.initContainers) ? + object.spec.initContainers.map(c, + has(c.volumeMounts) ? + (c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)).size() > 0 ? + JSONPatch{ + op: "replace", + path: "/spec/initContainers/" + string(object.spec.initContainers.indexOf(c)) + "/volumeMounts", + value: c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)) + } : + JSONPatch{ + op: "remove", + path: "/spec/initContainers/" + string(object.spec.initContainers.indexOf(c)) + "/volumeMounts" + }) + : JSONPatch{op: "test", path: "/", value: null} + ).filter(p, p.op != "test") : []) + + (has(object.spec.ephemeralContainers) ? + object.spec.ephemeralContainers.map(c, + has(c.volumeMounts) ? + (c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)).size() > 0 ? + JSONPatch{ + op: "replace", + path: "/spec/ephemeralContainers/" + string(object.spec.ephemeralContainers.indexOf(c)) + "/volumeMounts", + value: c.volumeMounts.filter(vm, !variables.hostpathVolumes.exists(hpv, hpv == vm.name)) + } : + JSONPatch{ + op: "remove", + path: "/spec/ephemeralContainers/" + string(object.spec.ephemeralContainers.indexOf(c)) + "/volumeMounts" + }) + : JSONPatch{op: "test", path: "/", value: null} + ).filter(p, p.op != "test") : []) \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/chainsaw-test.yaml b/other-mpol/replace-image-registry/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..935adc745 --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: replace-image-registry +spec: + steps: + - name: step-01 + try: + - apply: + file: ../replace-image-registry.yaml + - apply: + file: ns.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods.yaml + - assert: + file: pod-patched.yaml + - assert: + file: pod-patched02.yaml + - assert: + file: pod-patched03.yaml + - name: step-03 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n replace-registry-ns diff --git a/other-mpol/replace-image-registry/.chainsaw-test/ns.yaml b/other-mpol/replace-image-registry/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..6e44ab3c6 --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: replace-registry-ns \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/pod-patched.yaml b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched.yaml new file mode 100644 index 000000000..b7cdce9c3 --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: replace-registry-ns +spec: + containers: + - name: busybox + image: myregistry.corp.com/busybox:1.35 + - name: busybox02 + image: myregistry.corp.com/busybox:1.35 \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/pod-patched02.yaml b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched02.yaml new file mode 100644 index 000000000..0c70063f7 --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched02.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: replace-registry-ns +spec: + initContainers: + - name: kyverno + image: myregistry.corp.com/kyverno:1.10.1 + - name: busybox-init + image: myregistry.corp.com/busybox:1.35 + containers: + - name: busybox + image: myregistry.corp.com/kyverno:1.10.1 + - name: busybox02 + image: myregistry.corp.com/busybox:1.35 \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/pod-patched03.yaml b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched03.yaml new file mode 100644 index 000000000..72480e267 --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/pod-patched03.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod03 + namespace: replace-registry-ns +spec: + initContainers: + - name: kyverno + image: myregistry.corp.com/kyverno:1.10.1 + - name: busybox-init + image: myregistry.corp.com/foo/bar/baz/busybox:1.35 + containers: + - name: busybox + image: myregistry.corp.com/kyverno:1.10.1 + - name: busybox02 + image: myregistry.corp.com/foo/bar/baz/busybox:1.35 \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/pods.yaml b/other-mpol/replace-image-registry/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..431e2298a --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/pods.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: replace-registry-ns +spec: + containers: + - name: busybox + image: ghcr.io/busybox:1.35 + - name: busybox02 + image: docker.io/busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: replace-registry-ns +spec: + initContainers: + - name: kyverno + image: kyverno:1.10.1 + - name: busybox-init + image: docker.io/busybox:1.35 + containers: + - name: busybox + image: registry.corp.com/kyverno:1.10.1 + - name: busybox02 + image: docker.io/busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod03 + namespace: replace-registry-ns +spec: + initContainers: + - name: kyverno + image: kyverno:1.10.1 + - name: busybox-init + image: ghcr.io/foo/bar/baz/busybox:1.35 + containers: + - name: busybox + image: registry.corp.com/kyverno:1.10.1 + - name: busybox02 + image: ghcr.io/foo/bar/baz/busybox:1.35 \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.chainsaw-test/policy-ready.yaml b/other-mpol/replace-image-registry/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..e81412a9e --- /dev/null +++ b/other-mpol/replace-image-registry/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: replace-image-registry +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.kyverno-test/kyverno-test.yaml b/other-mpol/replace-image-registry/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..f4b2380f1 --- /dev/null +++ b/other-mpol/replace-image-registry/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,23 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: replace-image-registry +policies: +- ../replace-image-registry.yaml +resources: +- resource.yaml +results: +- kind: Pod + patchedResources: patchedResource1.yaml + policy: replace-image-registry + resources: + - myapp-pod1 + result: pass + isMutatingPolicy: true +- kind: Pod + patchedResources: patchedResource3.yaml + policy: replace-image-registry + resources: + - myapp-pod2 + result: pass + isMutatingPolicy: true diff --git a/other-mpol/replace-image-registry/.kyverno-test/patchedResource1.yaml b/other-mpol/replace-image-registry/.kyverno-test/patchedResource1.yaml new file mode 100644 index 000000000..8b064ec21 --- /dev/null +++ b/other-mpol/replace-image-registry/.kyverno-test/patchedResource1.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod1 + namespace: default +spec: + containers: + - image: myregistry.corp.com/nginx:latest + name: docker-with-registry \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.kyverno-test/patchedResource3.yaml b/other-mpol/replace-image-registry/.kyverno-test/patchedResource3.yaml new file mode 100644 index 000000000..6ade9abfe --- /dev/null +++ b/other-mpol/replace-image-registry/.kyverno-test/patchedResource3.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod2 + namespace: default +spec: + containers: + - image: myregistry.corp.com/nginx:latest + name: without-registry + initContainers: + - command: + - sh + - -c + - echo The app is running! && sleep 3600 + image: myregistry.corp.com/busybox:latest + name: init-without-registry \ No newline at end of file diff --git a/other-mpol/replace-image-registry/.kyverno-test/resource.yaml b/other-mpol/replace-image-registry/.kyverno-test/resource.yaml new file mode 100644 index 000000000..cf3834a59 --- /dev/null +++ b/other-mpol/replace-image-registry/.kyverno-test/resource.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod1 +spec: + containers: + - image: docker.io/nginx:latest + name: docker-with-registry +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - image: gcr.io/httpd:latest + name: gcr-with-registry + ports: + - containerPort: 80 +--- +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod2 +spec: + containers: + - name: without-registry + image: nginx:latest + initContainers: + - name: init-without-registry + image: busybox:latest + command: ['sh', '-c', 'echo The app is running! && sleep 3600'] diff --git a/other-mpol/replace-image-registry/artifacthub-pkg.yml b/other-mpol/replace-image-registry/artifacthub-pkg.yml new file mode 100644 index 000000000..458bc6da9 --- /dev/null +++ b/other-mpol/replace-image-registry/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: replace-image-registry +version: 1.0.0 +displayName: Replace Image Registry +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired but if so may need to not match on Pods. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/replace-image-registry/replace-image-registry.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Rather than blocking Pods which come from outside registries, it is also possible to mutate them so the pulls are directed to approved registries. In some cases, those registries may function as pull-through proxies and can fetch the image if not cached. This policy mutates all images either in the form 'image:tag' or 'registry.corp.com/image:tag' to be `myregistry.corp.com/`. Any path in the image name will be preserved. Note that this mutates Pods directly and not their controllers. It can be changed if desired but if so may need to not match on Pods. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 2463c641a775bf52901516d24d5a6898298a630ed7b6ec981dcee3354e798a38 diff --git a/other-mpol/replace-image-registry/replace-image-registry.yaml b/other-mpol/replace-image-registry/replace-image-registry.yaml new file mode 100644 index 000000000..f0870b0a6 --- /dev/null +++ b/other-mpol/replace-image-registry/replace-image-registry.yaml @@ -0,0 +1,67 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: replace-image-registry + annotations: + policies.kyverno.io/title: Replace Image Registry + policies.kyverno.io/category: Sample + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Rather than blocking Pods which come from outside registries, + it is also possible to mutate them so the pulls are directed to + approved registries. In some cases, those registries may function as + pull-through proxies and can fetch the image if not cached. + This policy mutates all images either in the form 'image:tag' or + 'registry.corp.com/image:tag' to be 'myregistry.corp.com/'. Any + path in the image name will be preserved. +spec: + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["pods"] + + variables: + - name: stripRegistry + expression: | + string(img) => + img.contains('/') && img.split('/')[0].contains('.') ? + img.split('/', 2)[1] : + img + + mutations: + - patchType: ApplyConfiguration + applyConfiguration: + expression: | + Object{ + spec: Object.spec{ + containers: object.spec.containers.map(c, + Object.spec.containers{ + name: c.name, + image: 'myregistry.corp.com/' + + (c.image.contains('/') && c.image.split('/')[0].contains('.') ? + c.image.substring(c.image.indexOf('/') + 1) : + c.image.replace('localhost/', '')) + } + ), + initContainers: has(object.spec.initContainers) ? + object.spec.initContainers.map(c, + Object.spec.initContainers{ + name: c.name, + image: 'myregistry.corp.com/' + + (c.image.contains('/') && c.image.split('/')[0].contains('.') ? + c.image.substring(c.image.indexOf('/') + 1) : + c.image.replace('localhost/', '')) + } + ) : [] + } + } + + evaluation: + admission: + enabled: true + + webhookConfiguration: + timeoutSeconds: 10 \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/README.md b/other-mpol/replace-ingress-hosts/.chainsaw-test/README.md new file mode 100644 index 000000000..1e9be3bf9 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/README.md @@ -0,0 +1,11 @@ +## Description + +This is a test of the policy in this folder. + +## Expected Behavior + +The resource is expected to be mutated so it resembles the specified asserted resource. If it does, the test passes. If it does not, it fails. + +## Reference Issue(s) + +N/A \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml b/other-mpol/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..144e2ff80 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: replace-ingress-hosts +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../replace-ingress-hosts.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: kuttlresource.yaml + - assert: + file: resource-mutated.yaml diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/kuttlresource.yaml b/other-mpol/replace-ingress-hosts/.chainsaw-test/kuttlresource.yaml new file mode 100644 index 000000000..59f2ecb38 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/kuttlresource.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuard + namespace: replace-ingress-hosts + labels: + app: kuard +spec: + rules: + - host: kuard.old.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + - host: hr.old.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8090 + path: /myhr + pathType: ImplementationSpecific + tls: + - hosts: + - kuard.old.com + - kuard-foo.old.com + secretName: foosecret.old.com + - hosts: + - hr.old.com + secretName: hr.old.com \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/ns.yaml b/other-mpol/replace-ingress-hosts/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..9f81b3713 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: replace-ingress-hosts \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/policy-ready.yaml b/other-mpol/replace-ingress-hosts/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..f7f47e956 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: replace-ingress-hosts +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/.chainsaw-test/resource-mutated.yaml b/other-mpol/replace-ingress-hosts/.chainsaw-test/resource-mutated.yaml new file mode 100644 index 000000000..7127f77a0 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/.chainsaw-test/resource-mutated.yaml @@ -0,0 +1,37 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + labels: + app: kuard + name: kuard + namespace: replace-ingress-hosts +spec: + rules: + - host: kuard.new.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8080 + path: / + pathType: ImplementationSpecific + - host: hr.new.com + http: + paths: + - backend: + service: + name: kuard + port: + number: 8090 + path: /myhr + pathType: ImplementationSpecific + tls: + - hosts: + - kuard.new.com + - kuard-foo.new.com + secretName: foosecret.new.com + - hosts: + - hr.new.com + secretName: hr.new.com \ No newline at end of file diff --git a/other-mpol/replace-ingress-hosts/artifacthub-pkg.yml b/other-mpol/replace-ingress-hosts/artifacthub-pkg.yml new file mode 100644 index 000000000..751337551 --- /dev/null +++ b/other-mpol/replace-ingress-hosts/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: replace-ingress-hosts +version: 1.0.0 +displayName: Replace Ingress Hosts +createdAt: "2023-04-10T20:30:05.000Z" +description: >- + An Ingress may specify host names at a variety of locations in the same resource. In some cases, those host names should be modified to, for example, update domain names silently. The replacement must be done in all the fields where a host name can be specified. This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces host names that end with `old.com` with `new.com`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/replace-ingress-hosts/replace-ingress-hosts.yaml + ``` +keywords: + - kyverno + - Other +readme: | + An Ingress may specify host names at a variety of locations in the same resource. In some cases, those host names should be modified to, for example, update domain names silently. The replacement must be done in all the fields where a host name can be specified. This policy, illustrating the use of nested foreach loops and operable in Kyverno 1.9+, replaces host names that end with `old.com` with `new.com`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Ingress" +digest: 3e0ce0322eb5b494d719a96cfd57120a18e3e9c1ed6e1e391029472f14060f98 diff --git a/other-mpol/replace-ingress-hosts/replace-ingress-hosts.yaml b/other-mpol/replace-ingress-hosts/replace-ingress-hosts.yaml new file mode 100644 index 000000000..697d48c4e --- /dev/null +++ b/other-mpol/replace-ingress-hosts/replace-ingress-hosts.yaml @@ -0,0 +1,82 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: replace-ingress-hosts + annotations: + policies.kyverno.io/title: Replace Ingress Hosts + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + An Ingress may specify host names at a variety of locations in the same resource. + This policy replaces host names that end with `old.com` with `new.com` in all + relevant fields including spec.rules[].host, spec.tls[].hosts[], and spec.tls[].secretName. +spec: + matchConstraints: + resourceRules: + - apiGroups: ["networking.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["ingresses"] + + evaluation: + admission: + enabled: true + mutateExisting: + enabled: false + + mutations: + - patchType: JSONPatch + jsonPatch: + expression: | + object.spec.?rules.orValue([]).map(rule, + has(rule.host) && rule.host.endsWith('.old.com') ? + JSONPatch{ + op: "replace", + path: "/spec/rules/" + string(object.spec.rules.indexOf(rule)) + "/host", + value: rule.host.replace('.old.com', '.new.com') + } : null + ).filter(patch, patch != null) + - patchType: JSONPatch + jsonPatch: + expression: | + object.spec.?tls.orValue([]).size() > 0 && + object.spec.tls[0].?hosts.orValue([]).size() > 0 && + object.spec.tls[0].hosts[0].endsWith('.old.com') ? + [JSONPatch{ + op: "replace", + path: "/spec/tls/0/hosts/0", + value: object.spec.tls[0].hosts[0].replace('.old.com', '.new.com') + }] : [] + - patchType: JSONPatch + jsonPatch: + expression: | + object.spec.?tls.orValue([]).size() > 0 && + object.spec.tls[0].?hosts.orValue([]).size() > 1 && + object.spec.tls[0].hosts[1].endsWith('.old.com') ? + [JSONPatch{ + op: "replace", + path: "/spec/tls/0/hosts/1", + value: object.spec.tls[0].hosts[1].replace('.old.com', '.new.com') + }] : [] + - patchType: JSONPatch + jsonPatch: + expression: | + object.spec.?tls.orValue([]).size() > 1 && + object.spec.tls[1].?hosts.orValue([]).size() > 0 && + object.spec.tls[1].hosts[0].endsWith('.old.com') ? + [JSONPatch{ + op: "replace", + path: "/spec/tls/1/hosts/0", + value: object.spec.tls[1].hosts[0].replace('.old.com', '.new.com') + }] : [] + - patchType: JSONPatch + jsonPatch: + expression: | + object.spec.?tls.orValue([]).map(tlsEntry, + has(tlsEntry.secretName) && tlsEntry.secretName.contains('.old.com') ? + JSONPatch{ + op: "replace", + path: "/spec/tls/" + string(object.spec.tls.indexOf(tlsEntry)) + "/secretName", + value: tlsEntry.secretName.replace('.old.com', '.new.com') + } : null + ).filter(patch, patch != null) diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..ce86e9881 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,24 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: resolve-image-to-digest +spec: + steps: + - name: step-01 + try: + - apply: + file: ../resolve-image-to-digest.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods.yaml + - assert: + file: pods-patched.yaml + - apply: + file: podcontroller.yaml + - assert: + file: podcontroller-patched.yaml diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml new file mode 100644 index 000000000..29f9432b0 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller-patched.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: cronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml new file mode 100644 index 000000000..535f4e9ee --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/podcontroller.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: cronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml new file mode 100644 index 000000000..e6f904105 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/pods-patched.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28@sha256:859d41e4316c182cb559f9ae3c5ffcac8602ee1179794a1707c06cd092a008d3 diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/pods.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..de8c9dae3 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/pods.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file diff --git a/other-mpol/resolve-image-to-digest/.chainsaw-test/policy-ready.yaml b/other-mpol/resolve-image-to-digest/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..bdfb94579 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: resolve-image-to-digest +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/resolve-image-to-digest/artifacthub-pkg.yml b/other-mpol/resolve-image-to-digest/artifacthub-pkg.yml new file mode 100644 index 000000000..ffebae2d6 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: resolve-image-to-digest +version: 1.0.0 +displayName: Resolve Image to Digest +createdAt: "2023-04-10T20:30:06.000Z" +description: >- + Image tags are mutable and the change of an image can result in the same tag. This policy resolves the image digest of each image in a container and replaces the image with the fully resolved reference which includes the digest rather than tag. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/resolve-image-to-digest/resolve-image-to-digest.yaml + ``` +keywords: + - kyverno + - Other +readme: | + Image tags are mutable and the change of an image can result in the same tag. This policy resolves the image digest of each image in a container and replaces the image with the fully resolved reference which includes the digest rather than tag. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 312dd9f10b075d799492d84ec94d53e506aad086792d01102856d9876f7aea9a diff --git a/other-mpol/resolve-image-to-digest/resolve-image-to-digest.yaml b/other-mpol/resolve-image-to-digest/resolve-image-to-digest.yaml new file mode 100644 index 000000000..34fc27496 --- /dev/null +++ b/other-mpol/resolve-image-to-digest/resolve-image-to-digest.yaml @@ -0,0 +1,116 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: resolve-image-to-digest + annotations: + policies.kyverno.io/title: Resolve Image to Digest + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + Image tags are mutable and the change of an image can result in the same tag. + This policy resolves the image digest of each image in a container and replaces + the image with the fully resolved reference which includes the digest rather than tag. +spec: + evaluation: + admission: + enabled: true + mutateExisting: + enabled: false + autogen: + podControllers: + controllers: [] + + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods"] + operations: ["CREATE", "UPDATE"] + - apiGroups: ["apps"] + apiVersions: ["v1"] + resources: ["deployments", "daemonsets", "statefulsets"] + operations: ["CREATE", "UPDATE"] + - apiGroups: ["batch"] + apiVersions: ["v1"] + resources: ["jobs", "cronjobs"] + operations: ["CREATE", "UPDATE"] + + variables: + - name: isPod + expression: "has(object.spec.containers)" + - name: isController + expression: "has(object.spec.template)" + - name: isCronJob + expression: "has(object.spec.jobTemplate)" + + - name: containers + expression: >- + variables.isPod ? object.spec.containers : + variables.isController ? object.spec.template.spec.containers : + variables.isCronJob ? object.spec.jobTemplate.spec.template.spec.containers : + [] + + - name: resolvedContainers + expression: >- + variables.containers.map(container, { + 'name': container.name, + 'image': image.GetMetadata(container.image).resolvedImage + }) + + mutations: + - patchType: ApplyConfiguration + applyConfiguration: + expression: >- + variables.isPod ? + Object{ + spec: Object.spec{ + containers: variables.resolvedContainers.map(rc, + Object.spec.containers{ + name: rc.name, + image: rc.image + } + ) + } + } : Object{} + + - patchType: ApplyConfiguration + applyConfiguration: + expression: >- + variables.isController ? + Object{ + spec: Object.spec{ + template: Object.spec.template{ + spec: Object.spec.template.spec{ + containers: variables.resolvedContainers.map(rc, + Object.spec.template.spec.containers{ + name: rc.name, + image: rc.image + } + ) + } + } + } + } : Object{} + + - patchType: ApplyConfiguration + applyConfiguration: + expression: >- + variables.isCronJob ? + Object{ + spec: Object.spec{ + jobTemplate: Object.spec.jobTemplate{ + spec: Object.spec.jobTemplate.spec{ + template: Object.spec.jobTemplate.spec.template{ + spec: Object.spec.jobTemplate.spec.template.spec{ + containers: variables.resolvedContainers.map(rc, + Object.spec.jobTemplate.spec.template.spec.containers{ + name: rc.name, + image: rc.image + } + ) + } + } + } + } + } + } : Object{} \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..cfd60a81a --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: spread-pods-across-topology +spec: + steps: + - name: step-01 + try: + - apply: + file: ../spread-pods-across-topology.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: deploy.yaml + - name: step-03 + try: + - assert: + file: deploy01-patched.yaml + - error: + file: deploy02-not-patched.yaml + - error: + file: deploy03-not-patched.yaml diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy.yaml new file mode 100644 index 000000000..4483c6711 --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy.yaml @@ -0,0 +1,68 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + distributed: required + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + distributed: required + app: busybox + name: deployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + topologySpreadConstraints: + - maxSkew: 2 + topologyKey: blah + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + foo: bar \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml new file mode 100644 index 000000000..35d1d441c --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy01-patched.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + distributed: required + app: busybox + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + distributed: required \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml new file mode 100644 index 000000000..ccc57744e --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy02-not-patched.yaml @@ -0,0 +1,26 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + distributed: required \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml new file mode 100644 index 000000000..7526987d0 --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/deploy03-not-patched.yaml @@ -0,0 +1,27 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + distributed: required + app: busybox + name: deployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + distributed: required \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml b/other-mpol/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..2a02ffd35 --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: spread-pods +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/.kyverno-test/kyverno-test.yaml b/other-mpol/spread-pods-across-topology/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..dfe240cd0 --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,16 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: spread-pods +policies: +- ../spread-pods-across-topology.yaml +resources: +- resource.yaml +results: +- kind: Deployment + patchedResources: patchedResource.yaml + policy: spread-pods + resources: + - mydeploy + result: pass + isMutatingPolicy: true diff --git a/other-mpol/spread-pods-across-topology/.kyverno-test/patchedResource.yaml b/other-mpol/spread-pods-across-topology/.kyverno-test/patchedResource.yaml new file mode 100644 index 000000000..96f4c75a6 --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.kyverno-test/patchedResource.yaml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy + labels: + distributed: required +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + distributed: required diff --git a/other-mpol/spread-pods-across-topology/.kyverno-test/resource.yaml b/other-mpol/spread-pods-across-topology/.kyverno-test/resource.yaml new file mode 100644 index 000000000..06f0f9d1f --- /dev/null +++ b/other-mpol/spread-pods-across-topology/.kyverno-test/resource.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mydeploy + labels: + distributed: required +spec: + replicas: 2 + selector: + matchLabels: + app: myapp + template: + metadata: + labels: + app: myapp + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 \ No newline at end of file diff --git a/other-mpol/spread-pods-across-topology/artifacthub-pkg.yml b/other-mpol/spread-pods-across-topology/artifacthub-pkg.yml new file mode 100644 index 000000000..441dc14be --- /dev/null +++ b/other-mpol/spread-pods-across-topology/artifacthub-pkg.yml @@ -0,0 +1,21 @@ +name: spread-pods-across-topology +version: 1.0.0 +displayName: Spread Pods Across Nodes +createdAt: "2023-04-10T20:30:07.000Z" +description: >- + Deployments to a Kubernetes cluster with multiple availability zones often need to distribute those replicas to align with those zones to ensure site-level failures do not impact availability. This policy matches Deployments with the label `distributed=required` and mutates them to spread Pods across zones. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/spread-pods-across-topology/spread-pods-across-topology.yaml + ``` +keywords: + - kyverno + - Sample +readme: | + Deployments to a Kubernetes cluster with multiple availability zones often need to distribute those replicas to align with those zones to ensure site-level failures do not impact availability. This policy matches Deployments with the label `distributed=required` and mutates them to spread Pods across zones. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Deployment, Pod" +digest: 6b1d9c7c56e3bc9cfea43987abce610875f94fb5c04bedcb9b05d69f829d502b diff --git a/other-mpol/spread-pods-across-topology/spread-pods-across-topology.yaml b/other-mpol/spread-pods-across-topology/spread-pods-across-topology.yaml new file mode 100644 index 000000000..2f226747d --- /dev/null +++ b/other-mpol/spread-pods-across-topology/spread-pods-across-topology.yaml @@ -0,0 +1,51 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: spread-pods + annotations: + policies.kyverno.io/title: Spread Pods Across Nodes + policies.kyverno.io/category: Sample + policies.kyverno.io/subject: Deployment, Pod + policies.kyverno.io/description: >- + Deployments to a Kubernetes cluster with multiple availability zones often need to + distribute those replicas to align with those zones to ensure site-level failures + do not impact availability. This policy matches Deployments with the label + `distributed=required` and mutates them to spread Pods across zones. +spec: + matchConstraints: + resourceRules: + - apiGroups: ["apps"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["deployments"] + objectSelector: + matchLabels: + distributed: required + + evaluation: + admission: + enabled: true + mutateExisting: + enabled: false + + mutations: + - patchType: JSONPatch + jsonPatch: + expression: | + !has(object.spec.template.spec.topologySpreadConstraints) ? + [JSONPatch{ + op: "add", + path: "/spec/template/spec/topologySpreadConstraints", + value: dyn([ + { + "maxSkew": dyn(1), + "topologyKey": dyn("zone"), + "whenUnsatisfiable": dyn("DoNotSchedule"), + "labelSelector": dyn({ + "matchLabels": dyn({ + "distributed": dyn("required") + }) + }) + } + ]) + }] : [] \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml b/other-mpol/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml new file mode 100755 index 000000000..dcfb7646c --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/chainsaw-step-01-apply-1.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + name: deployment00 + namespace: update-image-tag-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + - image: vault:1.2.3 + name: vault-agent diff --git a/other-mpol/update-image-tag/.chainsaw-test/chainsaw-test.yaml b/other-mpol/update-image-tag/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..be7b2eb81 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,46 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: update-image-tag +spec: + steps: + - name: step-00 + try: + - apply: + file: cluster-role.yaml + - apply: + file: ns.yaml + - name: step-01 + try: + - apply: + file: chainsaw-step-01-apply-1.yaml + - name: step-02 + try: + - apply: + file: ../update-image-tag.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: deploy.yaml + - assert: + file: deploy00-patched.yaml + - assert: + file: deploy01-patched.yaml + - assert: + file: deploy02-patched.yaml + - error: + file: deploy03-not-patched.yaml + - error: + file: deploy04-not-patched.yaml + - apply: + file: policy-update.yaml + - assert: + file: deploy00-patched-again.yaml + - assert: + file: deploy01-patched-again.yaml + - assert: + file: deploy02-patched-again.yaml diff --git a/other-mpol/update-image-tag/.chainsaw-test/cluster-role.yaml b/other-mpol/update-image-tag/.chainsaw-test/cluster-role.yaml new file mode 100644 index 000000000..2d7e5a909 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/cluster-role.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:background-controller:update-image-tag + labels: + app.kubernetes.io/component: background-controller + app.kubernetes.io/instance: kyverno + app.kubernetes.io/part-of: kyverno +rules: +- apiGroups: + - apps + resources: + - deployments + verbs: + - update \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy.yaml new file mode 100644 index 000000000..f952b61a5 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + - name: vault-agent + image: vault:1.2.3 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + bar.org/foo: foo + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: ghcr.io/kyverno/test-busybox:1.3.5 + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + vault.hashicorp.com/agent-inject: "false" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: ghcr.io/kyverno/test-busybox:1.3.5 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: ghcr.io/kyverno/test-busybox:1.3.5 \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml new file mode 100644 index 000000000..43e94aab8 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched-again.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment00 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.6.0 + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched.yaml new file mode 100644 index 000000000..425e554ec --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy00-patched.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment00 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + - name: vault-agent + image: vault:1.5.4 \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml new file mode 100644 index 000000000..f1ba65bd5 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched-again.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.6.0 + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched.yaml new file mode 100644 index 000000000..a6bf4c787 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy01-patched.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + foo.io/foo: bar + vault.hashicorp.com/agent-inject: "true" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox + - name: vault-agent + image: vault:1.5.4 \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml new file mode 100644 index 000000000..627ff5fe4 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched-again.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + bar.org/foo: foo + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.6.0 + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched.yaml new file mode 100644 index 000000000..51a01f15d --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy02-patched.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + vault.hashicorp.com/agent-inject: "true" + bar.org/foo: foo + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.5.4 + - image: ghcr.io/kyverno/test-busybox:1.35 + name: busybox \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy03-not-patched.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy03-not-patched.yaml new file mode 100644 index 000000000..5c0e8c517 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy03-not-patched.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + vault.hashicorp.com/agent-inject: "false" + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.5.4 \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/deploy04-not-patched.yaml b/other-mpol/update-image-tag/.chainsaw-test/deploy04-not-patched.yaml new file mode 100644 index 000000000..6d5a6cd4d --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/deploy04-not-patched.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + namespace: update-image-tag-ns + name: deployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: vault-agent + image: vault:1.5.4 \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/ns.yaml b/other-mpol/update-image-tag/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..1367f4bab --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: update-image-tag-ns \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/policy-ready.yaml b/other-mpol/update-image-tag/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..b337ac6be --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,18 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: update-image-tag +status: + conditionStatus: + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + type: RBACPermissionsGranted + (length(conditions)): 2 + ready: true \ No newline at end of file diff --git a/other-mpol/update-image-tag/.chainsaw-test/policy-update.yaml b/other-mpol/update-image-tag/.chainsaw-test/policy-update.yaml new file mode 100644 index 000000000..6744bc244 --- /dev/null +++ b/other-mpol/update-image-tag/.chainsaw-test/policy-update.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: update-image-tag +spec: + mutateExistingOnPolicyUpdate: true + rules: + - name: update-image-tag-rule + match: + any: + - resources: + kinds: + - Deployment + annotations: + vault.hashicorp.com/agent-inject: "true" + mutate: + targets: + - apiVersion: apps/v1 + kind: Deployment + name: "{{ request.object.metadata.name }}" + patchStrategicMerge: + spec: + template: + spec: + containers: + - (name): vault-agent + image: vault:1.6.0 diff --git a/other-mpol/update-image-tag/artifacthub-pkg.yml b/other-mpol/update-image-tag/artifacthub-pkg.yml new file mode 100644 index 000000000..f41e3458c --- /dev/null +++ b/other-mpol/update-image-tag/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: update-image-tag +version: 1.0.0 +displayName: Update Image Tag +createdAt: "2023-04-10T20:30:07.000Z" +description: >- + For use cases like sidecar injection, it is often the case where existing Deployments need the sidecar image updated without destroying the whole Deployment or Pods. This policy updates the image tag on containers named vault-agent for existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true". It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-mpol/update-image-tag/update-image-tag.yaml + ``` +keywords: + - kyverno + - other +readme: | + For use cases like sidecar injection, it is often the case where existing Deployments need the sidecar image updated without destroying the whole Deployment or Pods. This policy updates the image tag on containers named vault-agent for existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true". It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Deployment" +digest: d102b19ea287c4f9e23bd60b96d74da0f038c81ae5684a55692ef7e723b34fdc diff --git a/other-mpol/update-image-tag/update-image-tag.yaml b/other-mpol/update-image-tag/update-image-tag.yaml new file mode 100644 index 000000000..143b0ac68 --- /dev/null +++ b/other-mpol/update-image-tag/update-image-tag.yaml @@ -0,0 +1,57 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: MutatingPolicy +metadata: + name: update-image-tag + annotations: + policies.kyverno.io/title: Update Image Tag + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Deployment + policies.kyverno.io/description: >- + For use cases like sidecar injection, it is often the case where existing + Deployments need the sidecar image updated without destroying the whole Deployment + or Pods. This policy updates the image tag on containers named vault-agent for + existing Deployments which have the annotation vault.hashicorp.com/agent-inject="true". + It may be necessary to grant additional privileges to the Kyverno ServiceAccount, + via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments. +spec: + evaluation: + admission: + enabled: true + mutateExisting: + enabled: true + + matchConstraints: + resourceRules: + - apiGroups: ["apps"] + apiVersions: ["v1"] + resources: ["deployments"] + operations: ["CREATE", "UPDATE"] + + matchConditions: + - name: has-vault-inject-annotation + expression: "has(object.metadata.annotations) && object.metadata.annotations['vault.hashicorp.com/agent-inject'] == 'true'" + + variables: + - name: containers + expression: "object.spec.template.spec.containers" + + - name: vaultAgentIndex + expression: >- + variables.containers.map(c, c.name).indexOf('vault-agent') + + - name: hasVaultAgent + expression: "variables.vaultAgentIndex >= 0" + + mutations: + - patchType: JSONPatch + jsonPatch: + expression: >- + variables.hasVaultAgent ? + [ + JSONPatch{ + op: "replace", + path: "/spec/template/spec/containers/" + string(variables.vaultAgentIndex) + "/image", + value: "vault:1.5.4" + } + ] : [] \ No newline at end of file From 87a60842c1f437e22fe94fe31e0f033eb8e4757b Mon Sep 17 00:00:00 2001 From: Brandon Metcalf Date: Thu, 20 Nov 2025 16:24:11 -0600 Subject: [PATCH 02/14] use updated do-not-disrupt annotation Signed-off-by: Brandon Metcalf --- ...ct.yaml => add-karpenter-do-not-disrupt.yaml} | 16 ++++++++-------- .../artifacthub-pkg.yml | 10 +++++----- 2 files changed, 13 insertions(+), 13 deletions(-) rename karpenter/add-karpenter-donot-evict/{add-karpenter-donot-evict.yaml => add-karpenter-do-not-disrupt.yaml} (74%) diff --git a/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml b/karpenter/add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml similarity index 74% rename from karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml rename to karpenter/add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml index b2f75d1a9..a2092bdb1 100644 --- a/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml +++ b/karpenter/add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml @@ -1,9 +1,9 @@ apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: - name: add-karpenter-donot-evict + name: add-karpenter-do-not-disrupt annotations: - policies.kyverno.io/title: Add Karpenter Do Not Evict + policies.kyverno.io/title: Add Karpenter Do Not Disrupt policies.kyverno.io/category: Karpenter, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod @@ -11,14 +11,14 @@ metadata: policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.23" policies.kyverno.io/description: >- - If a Pod exists with the annotation `karpenter.sh/do-not-evict: true` on a Node, + If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs - so that Pods spawned by them will contain the `karpenter.sh/do-not-evict: true` annotation. + so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. spec: rules: - - name: do-not-evict-jobs + - name: do-not-disrupt-jobs match: any: - resources: @@ -30,8 +30,8 @@ spec: template: metadata: annotations: - karpenter.sh/do-not-evict: "true" - - name: do-not-evict-cronjobs + karpenter.sh/do-not-disrupt: "true" + - name: do-not-disrupt-cronjobs match: any: - resources: @@ -45,4 +45,4 @@ spec: template: metadata: annotations: - karpenter.sh/do-not-evict: "true" + karpenter.sh/do-not-disrupt: "true" diff --git a/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml b/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml index c3cb4da38..6faa72fc6 100644 --- a/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml +++ b/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml @@ -1,19 +1,19 @@ -name: add-karpenter-donot-evict +name: add-karpenter-do-not-disrupt version: 1.0.0 -displayName: Add Karpenter Do Not Evict +displayName: Add Karpenter Do Not Disrupt createdAt: "2023-04-10T20:11:12.000Z" description: >- - If a Pod exists with the annotation `karpenter.sh/do-not-evict: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-evict: true` annotation. + If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter/add-karpenter-donot-disrupt/add-karpenter-do-not-disrupt.yaml ``` keywords: - kyverno - Karpenter - EKS Best Practices readme: | - If a Pod exists with the annotation `karpenter.sh/do-not-evict: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-evict: true` annotation. + If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: From 9994f9bdfbb8f064ed0c45efbb185c42692d7cb7 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 21:43:58 -0800 Subject: [PATCH 03/14] build(deps): Bump actions/setup-go in /.github/actions/setup-env (#1378) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.0.0 to 6.1.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/44694675825211faa026b3c33043df3e48a5fa00...4dc6199c7b1a012772edbd06daecab0f50c9053c) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Brandon Metcalf --- .github/actions/setup-env/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/setup-env/action.yaml b/.github/actions/setup-env/action.yaml index fa265a461..30b0a4056 100644 --- a/.github/actions/setup-env/action.yaml +++ b/.github/actions/setup-env/action.yaml @@ -8,7 +8,7 @@ runs: using: "composite" steps: - name: Setup Go - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 + uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version: ~1.25.3 - name: Install Tools From 857eade73b7e62fc65e68d303e31aa673d80ff0c Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Mon, 24 Nov 2025 18:37:07 +0000 Subject: [PATCH 04/14] chore: fix indentation in ValidatingPolicies (#1382) Signed-off-by: Mariam Fahmy Signed-off-by: Brandon Metcalf --- .../advanced-restrict-image-registries.yaml | 51 +++++++++---------- .../artifacthub-pkg.yml | 2 +- .../allowed-annotations.yaml | 6 +-- .../allowed-annotations/artifacthub-pkg.yml | 2 +- .../allowed-pod-priorities.yaml | 25 +++++---- .../artifacthub-pkg.yml | 2 +- other-vpol/check-env-vars/artifacthub-pkg.yml | 2 +- other-vpol/check-env-vars/check-env-vars.yaml | 8 +-- .../artifacthub-pkg.yml | 2 +- .../check-node-for-cve-2022-0185.yaml | 14 ++--- .../check-serviceaccount-secrets.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../deny-commands-in-exec-probe.yaml | 16 +++--- ...eny-secret-service-account-token-type.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../disallow-localhost-services.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../disallow-secrets-from-env-vars.yaml | 1 - .../artifacthub-pkg.yml | 2 +- .../docker-socket-requires-label.yaml | 12 ++--- .../enforce-pod-duration/artifacthub-pkg.yml | 2 +- .../enforce-pod-duration.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../enforce-readwriteonce-pod.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../ensure-probes-different.yaml | 10 ++-- .../artifacthub-pkg.yml | 2 +- .../exclude-namespaces-dynamically.yaml | 1 - .../forbid-cpu-limits/artifacthub-pkg.yml | 2 +- .../forbid-cpu-limits/forbid-cpu-limits.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../imagepullpolicy-always.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../ingress-host-match-tls.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../limit-containers-per-pod.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../limit-hostpath-type-pv.yaml | 4 +- .../limit-hostpath-vols/artifacthub-pkg.yml | 2 +- .../limit-hostpath-vols.yaml | 8 +-- .../artifacthub-pkg.yml | 2 +- .../memory-requests-equal-limits.yaml | 10 ++-- .../metadata-match-regex/artifacthub-pkg.yml | 2 +- .../metadata-match-regex.yaml | 8 +-- .../pdb-maxunavailable/artifacthub-pkg.yml | 2 +- .../pdb-maxunavailable.yaml | 4 +- .../prevent-bare-pods/artifacthub-pkg.yml | 2 +- .../prevent-bare-pods/prevent-bare-pods.yaml | 4 +- .../prevent-cr8escape/artifacthub-pkg.yml | 2 +- .../prevent-cr8escape/prevent-cr8escape.yaml | 8 +-- .../require-annotations/artifacthub-pkg.yml | 2 +- .../require-annotations.yaml | 6 +-- .../artifacthub-pkg.yml | 2 +- .../require-container-port-names.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- ...re-deployments-have-multiple-replicas.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../require-emptydir-requests-limits.yaml | 26 +++++----- .../artifacthub-pkg.yml | 2 +- .../require-image-checksum.yaml | 4 +- .../require-ingress-https/artifacthub-pkg.yml | 2 +- .../require-ingress-https.yaml | 11 ++-- .../artifacthub-pkg.yml | 2 +- .../require-pod-priorityclassname.yaml | 4 +- .../require-qos-burstable/artifacthub-pkg.yml | 2 +- .../require-qos-burstable.yaml | 9 ++-- .../artifacthub-pkg.yml | 2 +- .../require-qos-guaranteed.yaml | 20 ++++---- .../require-storageclass/artifacthub-pkg.yml | 2 +- .../require-storageclass.yaml | 16 +++--- .../restrict-annotations/artifacthub-pkg.yml | 2 +- .../restrict-annotations.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-binding-clusteradmin.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-binding-system-groups.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../restrict-clusterrole-nodesproxy.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../restrict-controlplane-scheduling.yaml | 8 +-- .../artifacthub-pkg.yml | 2 +- .../restrict-deprecated-registry.yaml | 9 ++-- .../artifacthub-pkg.yml | 2 +- .../restrict-edit-for-endpoints.yaml | 8 +-- .../artifacthub-pkg.yml | 2 +- .../restrict-escalation-verbs-roles.yaml | 26 +++++----- .../artifacthub-pkg.yml | 2 +- .../restrict-ingress-classes.yaml | 6 +-- .../artifacthub-pkg.yml | 2 +- .../restrict-ingress-defaultbackend.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-ingress-wildcard.yaml | 4 +- other-vpol/restrict-jobs/artifacthub-pkg.yml | 2 +- other-vpol/restrict-jobs/restrict-jobs.yaml | 8 +-- .../restrict-loadbalancer/artifacthub-pkg.yml | 2 +- .../restrict-loadbalancer.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- ...trict-networkpolicy-empty-podselector.yaml | 5 +- .../artifacthub-pkg.yml | 2 +- .../restrict-node-affinity.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-node-label-creation.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- ...pod-controller-serviceaccount-updates.yaml | 1 - .../artifacthub-pkg.yml | 2 +- .../restrict-sa-automount-sa-token.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-secret-role-verbs.yaml | 24 ++++----- .../artifacthub-pkg.yml | 2 +- .../restrict-secrets-by-name.yaml | 36 ++++++------- .../artifacthub-pkg.yml | 2 +- .../restrict-service-port-range.yaml | 4 +- .../restrict-storageclass/artifacthub-pkg.yml | 2 +- .../restrict-storageclass.yaml | 5 +- .../artifacthub-pkg.yml | 2 +- .../restrict-usergroup-fsgroup-id.yaml | 12 ++--- .../artifacthub-pkg.yml | 2 +- .../restrict-wildcard-resources.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../restrict-wildcard-verbs.yaml | 4 +- .../artifacthub-pkg.yml | 2 +- .../topologyspreadconstraints-policy.yaml | 10 ++-- .../unique-ingress-paths/artifacthub-pkg.yml | 2 +- .../unique-ingress-paths.yaml | 47 +++++++++-------- 124 files changed, 372 insertions(+), 385 deletions(-) diff --git a/other-vpol/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml b/other-vpol/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml index 0302ba288..8bce54252 100644 --- a/other-vpol/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml +++ b/other-vpol/advanced-restrict-image-registries/advanced-restrict-image-registries.yaml @@ -27,31 +27,28 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: cm - expression: >- - resource.Get("v1", "configmaps", "default", "clusterregistries") - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - - name: nsRegistries - expression: >- - namespaceObject.metadata.?annotations["corp.com/allowed-registries"] - .orValue("") .split(",").filter(reg, reg != "") - - - name: cmRegistries - expression: >- - variables.cm.data[?'registries'].orValue("").split(",").filter(reg, reg != "") - + - name: cm + expression: >- + resource.Get("v1", "configmaps", "default", "clusterregistries") + - name: allContainers + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + - name: nsRegistries + expression: >- + namespaceObject.metadata.?annotations["corp.com/allowed-registries"] + .orValue("") .split(",").filter(reg, reg != "") + - name: cmRegistries + expression: >- + variables.cm.data[?'registries'].orValue("").split(",").filter(reg, reg != "") validations: - - expression: >- - variables.allContainers.all(container, - ( - variables.cmRegistries.exists(cmRegistry, - container.image.startsWith(cmRegistry.trim())) - ) || ( - variables.nsRegistries.exists(nsRegistry, - container.image.startsWith(nsRegistry.trim())) - ) - ) - - messageExpression: >- - 'This Pod names an image that is not from an approved registry' + variables.nsRegistries.join(',') + ' ' + variables.cmRegistries.join(',') \ No newline at end of file + - expression: >- + variables.allContainers.all(container, + ( + variables.cmRegistries.exists(cmRegistry, + container.image.startsWith(cmRegistry.trim())) + ) || ( + variables.nsRegistries.exists(nsRegistry, + container.image.startsWith(nsRegistry.trim())) + ) + ) + messageExpression: >- + 'This Pod names an image that is not from an approved registry' + variables.nsRegistries.join(',') + ' ' + variables.cmRegistries.join(',') \ No newline at end of file diff --git a/other-vpol/advanced-restrict-image-registries/artifacthub-pkg.yml b/other-vpol/advanced-restrict-image-registries/artifacthub-pkg.yml index 419765414..8b5d4e8c9 100644 --- a/other-vpol/advanced-restrict-image-registries/artifacthub-pkg.yml +++ b/other-vpol/advanced-restrict-image-registries/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 9ae315d3e09e40f196330b97c250b85b18807e5f69383e9cca22df7ffdbf53c2 +digest: 2b57470e59f3e630311cf189035ae37df3e1361588d0890eecc19ef6f1f601cb createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/allowed-annotations/allowed-annotations.yaml b/other-vpol/allowed-annotations/allowed-annotations.yaml index a603b83ff..9925e00da 100644 --- a/other-vpol/allowed-annotations/allowed-annotations.yaml +++ b/other-vpol/allowed-annotations/allowed-annotations.yaml @@ -28,7 +28,7 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.metadata.?annotations.orValue([]).all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) - message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. + - expression: >- + object.metadata.?annotations.orValue([]).all(annotation, !annotation.contains('fluxcd.io/') || annotation in ['fluxcd.io/cow', 'fluxcd.io/dog']) + message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`. diff --git a/other-vpol/allowed-annotations/artifacthub-pkg.yml b/other-vpol/allowed-annotations/artifacthub-pkg.yml index 1778d5e4a..b02f82586 100644 --- a/other-vpol/allowed-annotations/artifacthub-pkg.yml +++ b/other-vpol/allowed-annotations/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Annotation" -digest: 8ab1d332a60ec0941f4fed6ac52b61e437f9b016232256d7c56fb74c48ac92fd +digest: 6c8485f93f339ad4cd78855d375cb89a163275e54436f48c7cbf89f0907b4f94 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/allowed-pod-priorities/allowed-pod-priorities.yaml b/other-vpol/allowed-pod-priorities/allowed-pod-priorities.yaml index 3dcf901cc..4975c1c59 100644 --- a/other-vpol/allowed-pod-priorities/allowed-pod-priorities.yaml +++ b/other-vpol/allowed-pod-priorities/allowed-pod-priorities.yaml @@ -28,17 +28,16 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: prior - expression: >- - resource.Get("v1", "configmaps", "default", "allowed-pod-priorities") - - name: namespaceName - expression: "namespaceObject.metadata.name" - - name: priorities - expression: "variables.namespaceName in variables.prior.data ? variables.prior.data[variables.namespaceName].split(', ') : []" + - name: prior + expression: >- + resource.Get("v1", "configmaps", "default", "allowed-pod-priorities") + - name: namespaceName + expression: "namespaceObject.metadata.name" + - name: priorities + expression: "variables.namespaceName in variables.prior.data ? variables.prior.data[variables.namespaceName].split(', ') : []" validations: - - expression: "variables.priorities == [] || object.spec.priorityClassName in variables.priorities" - message: >- - 'The Pod PriorityClass ' + object.spec.priorityClassName + - ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + - variables.prior.data[variables.namespaceName] - + - expression: "variables.priorities == [] || object.spec.priorityClassName in variables.priorities" + message: >- + 'The Pod PriorityClass ' + object.spec.priorityClassName + + ' is not in the list of the following PriorityClasses allowed in this Namespace: ' + + variables.prior.data[variables.namespaceName] diff --git a/other-vpol/allowed-pod-priorities/artifacthub-pkg.yml b/other-vpol/allowed-pod-priorities/artifacthub-pkg.yml index 7c98d6fa4..408586985 100644 --- a/other-vpol/allowed-pod-priorities/artifacthub-pkg.yml +++ b/other-vpol/allowed-pod-priorities/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: eeb1149bc7549f0a18a4ec09e93596b4d9a9cbd54e448483959e9855f5533c9a +digest: 67324ef06e08c4ca43d9700b2de674833ad3489510dbb6cf186b2061a5762a1f createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/check-env-vars/artifacthub-pkg.yml b/other-vpol/check-env-vars/artifacthub-pkg.yml index 020163c02..d35fd9c0f 100644 --- a/other-vpol/check-env-vars/artifacthub-pkg.yml +++ b/other-vpol/check-env-vars/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: afc872ac6eac0320a01f8bc276c502c3cf9f52878dd55cd2d7d09c9f84853dbc +digest: f0b3e03403ba19143270b9af25ab76f33446f3476e88a54f0b4cdba3d322da61 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/check-env-vars/check-env-vars.yaml b/other-vpol/check-env-vars/check-env-vars.yaml index 4cfb4556f..487314de9 100644 --- a/other-vpol/check-env-vars/check-env-vars.yaml +++ b/other-vpol/check-env-vars/check-env-vars.yaml @@ -28,8 +28,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - !object.spec.containers.exists(container, - container.?env.orValue([]).exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) - message: "DISABLE_OPA must not be set to true." + - expression: >- + !object.spec.containers.exists(container, + container.?env.orValue([]).exists(e, e.name == 'DISABLE_OPA' && e.value == 'true')) + message: "DISABLE_OPA must not be set to true." diff --git a/other-vpol/check-node-for-cve-2022-0185/artifacthub-pkg.yml b/other-vpol/check-node-for-cve-2022-0185/artifacthub-pkg.yml index 71bafae76..3f73d7770 100644 --- a/other-vpol/check-node-for-cve-2022-0185/artifacthub-pkg.yml +++ b/other-vpol/check-node-for-cve-2022-0185/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Node" -digest: 64697fb1f8a6273fec90f5d5fddd6ceb289d7cae4f662fe96388971a094314a4 +digest: 3916cd2dcab226ace12583eef58eb4399c4ac9ae9c12dc1eb24f48c4825421e5 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml b/other-vpol/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml index 57d9f7af5..5c5732eca 100644 --- a/other-vpol/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml +++ b/other-vpol/check-node-for-cve-2022-0185/check-node-for-cve-2022-0185.yaml @@ -23,12 +23,12 @@ spec: background: enabled: true matchConstraints: - resourceRules: - - apiGroups: [""] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["nodes"] + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["nodes"] validations: - - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" - message: "Kernel is vulnerable to CVE-2022-0185." + - expression: "!(object.status.nodeInfo.kernelVersion in ['5.10.84-1', '5.15.5-2'])" + message: "Kernel is vulnerable to CVE-2022-0185." diff --git a/other-vpol/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml b/other-vpol/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml index defad44db..8b028b7ff 100644 --- a/other-vpol/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml +++ b/other-vpol/check-serviceaccount-secrets/check-serviceaccount-secrets.yaml @@ -29,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["serviceaccounts"] validations: - - expression: "!has(object.secrets)" - message: "Long-lived API tokens are not allowed." + - expression: "!has(object.secrets)" + message: "Long-lived API tokens are not allowed." diff --git a/other-vpol/deny-commands-in-exec-probe/artifacthub-pkg.yml b/other-vpol/deny-commands-in-exec-probe/artifacthub-pkg.yml index 160c45a25..ea5edf122 100644 --- a/other-vpol/deny-commands-in-exec-probe/artifacthub-pkg.yml +++ b/other-vpol/deny-commands-in-exec-probe/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 6fe541652335d424d8b8e4203d2ced312fcc730881128af6c24083cbc622b2cb +digest: c7551017103eaef746d4f4fe5d94dbc18ddf1168518943cf162f173b615137b6 createdAt: "2025-05-11T17:46:10Z" diff --git a/other-vpol/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml b/other-vpol/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml index d01b0cc50..987553bd5 100644 --- a/other-vpol/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml +++ b/other-vpol/deny-commands-in-exec-probe/deny-commands-in-exec-probe.yaml @@ -27,12 +27,12 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] matchConditions: - - name: check-liveness-probes-commands-exist - expression: >- - object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) > 0) + - name: check-liveness-probes-commands-exist + expression: >- + object.spec.containers.exists(container, size(container.?livenessProbe.?exec.?command.orValue([])) > 0) validations: - - expression: >- - object.spec.containers.all(container, - !container.?livenessProbe.?exec.?command.orValue([]).exists(command, - command.matches('\\bjcmd\\b') || command.matches('\\bps\\b') || command.matches('\\bls\\b'))) - message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. + - expression: >- + object.spec.containers.all(container, + !container.?livenessProbe.?exec.?command.orValue([]).exists(command, + command.matches('\\bjcmd\\b') || command.matches('\\bps\\b') || command.matches('\\bls\\b'))) + message: Cannot use commands `jcmd`, `ps`, or `ls` in liveness probes. diff --git a/other-vpol/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml b/other-vpol/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml index b1ee7fe48..3b98c1027 100644 --- a/other-vpol/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml +++ b/other-vpol/deny-secret-service-account-token-type/deny-secret-service-account-token-type.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["secrets"] validations: - - expression: "object.type != 'kubernetes.io/service-account-token'" - message: "Secret ServiceAccount token type is not allowed." + - expression: "object.type != 'kubernetes.io/service-account-token'" + message: "Secret ServiceAccount token type is not allowed." diff --git a/other-vpol/disallow-localhost-services/artifacthub-pkg.yml b/other-vpol/disallow-localhost-services/artifacthub-pkg.yml index 3eb59243c..aa3074a3a 100644 --- a/other-vpol/disallow-localhost-services/artifacthub-pkg.yml +++ b/other-vpol/disallow-localhost-services/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Service" -digest: 85fc385ea59b614dc07cacfcf55e5860f614a9e65fbaf936c5dd8166af06f2cb +digest: a0fa1b44283e98fab50a2cd480e8bfa29aa9f1d49b93c8aa08b02fc0616b57b2 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/disallow-localhost-services/disallow-localhost-services.yaml b/other-vpol/disallow-localhost-services/disallow-localhost-services.yaml index e107dc643..7bb246cdd 100644 --- a/other-vpol/disallow-localhost-services/disallow-localhost-services.yaml +++ b/other-vpol/disallow-localhost-services/disallow-localhost-services.yaml @@ -26,6 +26,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["services"] validations: - - expression: "object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'" - message: "Service of type ExternalName cannot point to localhost." + - expression: "object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'" + message: "Service of type ExternalName cannot point to localhost." diff --git a/other-vpol/disallow-secrets-from-env-vars/artifacthub-pkg.yml b/other-vpol/disallow-secrets-from-env-vars/artifacthub-pkg.yml index b2c1a73d5..afd60f8a5 100644 --- a/other-vpol/disallow-secrets-from-env-vars/artifacthub-pkg.yml +++ b/other-vpol/disallow-secrets-from-env-vars/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Sample, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Secret" -digest: e7bd3644344391b4a63e5cbc5a420d88647d7d0c834e9928bec9312ca2a7a032 +digest: 1044dacc107a91956f6077c4c48151075628e195d3a17f2b075c1014537ce992 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml b/other-vpol/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml index ce6be967b..f22db9f15 100644 --- a/other-vpol/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml +++ b/other-vpol/disallow-secrets-from-env-vars/disallow-secrets-from-env-vars.yaml @@ -19,7 +19,6 @@ spec: evaluation: background: enabled: true - matchConstraints: resourceRules: - apiGroups: [""] diff --git a/other-vpol/docker-socket-requires-label/artifacthub-pkg.yml b/other-vpol/docker-socket-requires-label/artifacthub-pkg.yml index 510baefb5..c48cf8587 100644 --- a/other-vpol/docker-socket-requires-label/artifacthub-pkg.yml +++ b/other-vpol/docker-socket-requires-label/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 86e6022690e58f3c89c1d79532e780ee9ce4125572ff39e0d94840e69471255f +digest: 75c9c48c54990d231b20e0575e775210d2893143190e6a37c41680e678e91f40 createdAt: "2025-05-11T17:46:10Z" diff --git a/other-vpol/docker-socket-requires-label/docker-socket-requires-label.yaml b/other-vpol/docker-socket-requires-label/docker-socket-requires-label.yaml index 648b050e4..2af566c1c 100644 --- a/other-vpol/docker-socket-requires-label/docker-socket-requires-label.yaml +++ b/other-vpol/docker-socket-requires-label/docker-socket-requires-label.yaml @@ -27,11 +27,11 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: hasDockerSocket - expression: "object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue('') == '/var/run/docker.sock')" - - name: isAllowDockerLabelTrue - expression: "object.metadata.?labels[?'allow-docker'].orValue('false') == 'true'" + - name: hasDockerSocket + expression: "object.spec.?volumes.orValue([]).exists(volume, volume.?hostPath.?path.orValue('') == '/var/run/docker.sock')" + - name: isAllowDockerLabelTrue + expression: "object.metadata.?labels[?'allow-docker'].orValue('false') == 'true'" validations: - - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" - message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." + - expression: "!variables.hasDockerSocket || variables.isAllowDockerLabelTrue" + message: "If a hostPath volume exists and is set to `/var/run/docker.sock`, the label `allow-docker` must equal `true`." diff --git a/other-vpol/enforce-pod-duration/artifacthub-pkg.yml b/other-vpol/enforce-pod-duration/artifacthub-pkg.yml index 42abdb7d7..4a183377a 100644 --- a/other-vpol/enforce-pod-duration/artifacthub-pkg.yml +++ b/other-vpol/enforce-pod-duration/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 3ba92b9879e90070faabcfad5acadd899ff8a25ca2233beaa83daa40bf337600 +digest: 406f52b1099dee5914c60f155138702f3ef51af25bb3ff7e0b7ca27fbc6b48ea createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/enforce-pod-duration/enforce-pod-duration.yaml b/other-vpol/enforce-pod-duration/enforce-pod-duration.yaml index 830fb9b26..c01ea805b 100644 --- a/other-vpol/enforce-pod-duration/enforce-pod-duration.yaml +++ b/other-vpol/enforce-pod-duration/enforce-pod-duration.yaml @@ -25,11 +25,11 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: hasLifetimeAnnotation - expression: "object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].hasValue()" - - name: lifetimeAnnotationValue - expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" + - name: hasLifetimeAnnotation + expression: "object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].hasValue()" + - name: lifetimeAnnotationValue + expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'" validations: - - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))" - message: "Pod lifetime exceeds limit of 8h" + - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))" + message: "Pod lifetime exceeds limit of 8h" diff --git a/other-vpol/enforce-readwriteonce-pod/artifacthub-pkg.yml b/other-vpol/enforce-readwriteonce-pod/artifacthub-pkg.yml index 942295edc..224e26ea7 100644 --- a/other-vpol/enforce-readwriteonce-pod/artifacthub-pkg.yml +++ b/other-vpol/enforce-readwriteonce-pod/artifacthub-pkg.yml @@ -29,7 +29,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "PersistentVolumeClaims" -digest: 9afb4ff5fd876fe7bbc8dd819eaf0ed9c5725a3ee3bc85b34ecc1ee30f5e3e6e +digest: 03d7ae40c94064e2b0b066f8d099c46f11ae48e50e91c9c80685d97e0feaff8a createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml b/other-vpol/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml index 2780ddc80..db0276845 100644 --- a/other-vpol/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml +++ b/other-vpol/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml @@ -29,6 +29,6 @@ spec: resources: ["persistentvolumeclaims"] operations: ["CREATE", "UPDATE"] validations: - - expression: "'ReadWriteOncePod' in object.spec.accessModes" - message: "The accessMode must be set to ReadWriteOncePod." + - expression: "'ReadWriteOncePod' in object.spec.accessModes" + message: "The accessMode must be set to ReadWriteOncePod." diff --git a/other-vpol/ensure-probes-different/artifacthub-pkg.yml b/other-vpol/ensure-probes-different/artifacthub-pkg.yml index 3baaa242a..9f72a8d08 100644 --- a/other-vpol/ensure-probes-different/artifacthub-pkg.yml +++ b/other-vpol/ensure-probes-different/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: fdf7381d75a9d00afb9660dbdbffacde89bf96aee59dff76320866163031d159 +digest: ebc10399c0cbbaa689f326a5a60177304fa09068f31ee82460d97d4727ed3314 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/ensure-probes-different/ensure-probes-different.yaml b/other-vpol/ensure-probes-different/ensure-probes-different.yaml index e5ecbcba2..6bc9d9c75 100644 --- a/other-vpol/ensure-probes-different/ensure-probes-different.yaml +++ b/other-vpol/ensure-probes-different/ensure-probes-different.yaml @@ -30,9 +30,9 @@ spec: resources: ["deployments", "daemonsets", "statefulsets"] operations: ["CREATE", "UPDATE"] validations: - - expression: >- - !object.spec.template.spec.containers.exists(container, - has(container.readinessProbe) && has(container.livenessProbe) && - container.readinessProbe == container.livenessProbe) - message: "Liveness and readiness probes cannot be the same." + - expression: >- + !object.spec.template.spec.containers.exists(container, + has(container.readinessProbe) && has(container.livenessProbe) && + container.readinessProbe == container.livenessProbe) + message: "Liveness and readiness probes cannot be the same." diff --git a/other-vpol/exclude-namespaces-dynamically/artifacthub-pkg.yml b/other-vpol/exclude-namespaces-dynamically/artifacthub-pkg.yml index 1751a9954..044410949 100644 --- a/other-vpol/exclude-namespaces-dynamically/artifacthub-pkg.yml +++ b/other-vpol/exclude-namespaces-dynamically/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Namespace, Pod" -digest: 5c7d57f447b33436dd703f159118c9a8ff409e8b966fa25aa54291c7c68744b2 +digest: 21a98a0fb852b2b00642d90cf5f1b3fb8155cc28bd47461a0ff3e5345220ae79 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml b/other-vpol/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml index 2ea314bb9..35fa1005e 100644 --- a/other-vpol/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml +++ b/other-vpol/exclude-namespaces-dynamically/exclude-namespaces-dynamically.yaml @@ -47,7 +47,6 @@ spec: resource.Get("v1", "configmaps", "default", "namespace-filters") - name: filter expression: "request.namespace in variables.cm.data['exclude'].split(', ')" - validations: - expression: > request.kind.kind == 'Pod' ? diff --git a/other-vpol/forbid-cpu-limits/artifacthub-pkg.yml b/other-vpol/forbid-cpu-limits/artifacthub-pkg.yml index 2af35847b..a4ea9c74d 100644 --- a/other-vpol/forbid-cpu-limits/artifacthub-pkg.yml +++ b/other-vpol/forbid-cpu-limits/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: f9ea5d2ae84e9fb7db0e354701d4aa60dc85fb7ace7bbb084c6b80869fffacf1 +digest: 5cc756587ef5fa9fec47380bdbc52b563738826b7348a557996a0eb41ba6277c createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/forbid-cpu-limits/forbid-cpu-limits.yaml b/other-vpol/forbid-cpu-limits/forbid-cpu-limits.yaml index 56579a4f3..a02221058 100644 --- a/other-vpol/forbid-cpu-limits/forbid-cpu-limits.yaml +++ b/other-vpol/forbid-cpu-limits/forbid-cpu-limits.yaml @@ -25,8 +25,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- + - expression: >- !object.spec.containers.exists(container, container.?resources.?limits.?cpu.hasValue()) - message: Containers may not define CPU limits. + message: Containers may not define CPU limits. diff --git a/other-vpol/imagepullpolicy-always/artifacthub-pkg.yml b/other-vpol/imagepullpolicy-always/artifacthub-pkg.yml index ba6b6d118..8e71c50e6 100644 --- a/other-vpol/imagepullpolicy-always/artifacthub-pkg.yml +++ b/other-vpol/imagepullpolicy-always/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: e4b1dc1eae86ea58707446bb48ccff92619634dee37c72a7e36a4fe0b84cc62a +digest: 0edb45c4ea9314d5fbc1fdaacbbd83a30458224419f05bc393b6bae445edc3ad createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/imagepullpolicy-always/imagepullpolicy-always.yaml b/other-vpol/imagepullpolicy-always/imagepullpolicy-always.yaml index 1d0cb985b..5076aa010 100644 --- a/other-vpol/imagepullpolicy-always/imagepullpolicy-always.yaml +++ b/other-vpol/imagepullpolicy-always/imagepullpolicy-always.yaml @@ -27,10 +27,10 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.spec.containers.all(container, - (container.image.endsWith(':latest') || !container.image.contains(':')) ? - container.imagePullPolicy == 'Always' : true) - message: >- - The imagePullPolicy must be set to `Always` when the tag `latest` is used. + - expression: >- + object.spec.containers.all(container, + (container.image.endsWith(':latest') || !container.image.contains(':')) ? + container.imagePullPolicy == 'Always' : true) + message: >- + The imagePullPolicy must be set to `Always` when the tag `latest` is used. diff --git a/other-vpol/ingress-host-match-tls/artifacthub-pkg.yml b/other-vpol/ingress-host-match-tls/artifacthub-pkg.yml index 009c68fdc..3278cd21c 100644 --- a/other-vpol/ingress-host-match-tls/artifacthub-pkg.yml +++ b/other-vpol/ingress-host-match-tls/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Ingress" -digest: f98eb41f40d898bff7030ed950908b1f2c1221bc99900e3a89f82c4fbef0a230 +digest: e1fa776f4860c5fb2148aa41329136b5824dfad95d4ac4f5ff46fee1b6af1b8a createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/ingress-host-match-tls/ingress-host-match-tls.yaml b/other-vpol/ingress-host-match-tls/ingress-host-match-tls.yaml index 3c8bcf1da..edc984bf4 100644 --- a/other-vpol/ingress-host-match-tls/ingress-host-match-tls.yaml +++ b/other-vpol/ingress-host-match-tls/ingress-host-match-tls.yaml @@ -29,12 +29,12 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] variables: - - name: tls - expression: "object.spec.?tls.orValue([])" + - name: tls + expression: "object.spec.?tls.orValue([])" validations: - - expression: >- + - expression: >- object.spec.rules.all(rule, - !has(rule.host) || - variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host))) - message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." + !has(rule.host) || + variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host))) + message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]." diff --git a/other-vpol/limit-containers-per-pod/artifacthub-pkg.yml b/other-vpol/limit-containers-per-pod/artifacthub-pkg.yml index a9a067b8a..4c58bae79 100644 --- a/other-vpol/limit-containers-per-pod/artifacthub-pkg.yml +++ b/other-vpol/limit-containers-per-pod/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: b7515296a848dab6a5418d774479e250f38c06e07a2c5039aec9464760b71e86 +digest: 29f9bb021c3c5089dbc7268992d63a867e2e9057b4a950fce88a51fd2ab1c132 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/limit-containers-per-pod/limit-containers-per-pod.yaml b/other-vpol/limit-containers-per-pod/limit-containers-per-pod.yaml index b5d291169..902f8c40a 100644 --- a/other-vpol/limit-containers-per-pod/limit-containers-per-pod.yaml +++ b/other-vpol/limit-containers-per-pod/limit-containers-per-pod.yaml @@ -27,6 +27,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "size(object.spec.containers) <= 4" - message: "Pods can only have a maximum of 4 containers." + - expression: "size(object.spec.containers) <= 4" + message: "Pods can only have a maximum of 4 containers." diff --git a/other-vpol/limit-hostpath-type-pv/artifacthub-pkg.yml b/other-vpol/limit-hostpath-type-pv/artifacthub-pkg.yml index 9f14dfb23..f862e2af8 100644 --- a/other-vpol/limit-hostpath-type-pv/artifacthub-pkg.yml +++ b/other-vpol/limit-hostpath-type-pv/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "PersistentVolume" -digest: d86210206754e6b6b80f12e04a124a8809d19610229a2bd1016054d2a77cc094 +digest: da9d05f714acdd36ae2e34caf0891fed80743c581239603db9fb2cfb5e1d99f9 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml b/other-vpol/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml index 9d02736b8..93e4da88c 100644 --- a/other-vpol/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml +++ b/other-vpol/limit-hostpath-type-pv/limit-hostpath-type-pv.yaml @@ -27,6 +27,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["persistentvolumes"] validations: - - expression: "!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith('/data')" - message: hostPath type persistent volumes are confined to /data. + - expression: "!has(object.spec.hostPath) || object.spec.hostPath.path.startsWith('/data')" + message: hostPath type persistent volumes are confined to /data. diff --git a/other-vpol/limit-hostpath-vols/artifacthub-pkg.yml b/other-vpol/limit-hostpath-vols/artifacthub-pkg.yml index 3ffc71ca9..e27a7a66c 100644 --- a/other-vpol/limit-hostpath-vols/artifacthub-pkg.yml +++ b/other-vpol/limit-hostpath-vols/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 0637acbfff9c160e022088580b6b4c59f75c790ee1158e4edf32b5ad08ef3c67 +digest: 0ffc603116acf05b9479f5f38b5fcf3cb8bbf6a16f05430cc3c434043bbeab43 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/limit-hostpath-vols/limit-hostpath-vols.yaml b/other-vpol/limit-hostpath-vols/limit-hostpath-vols.yaml index 3810019d0..86936caf7 100644 --- a/other-vpol/limit-hostpath-vols/limit-hostpath-vols.yaml +++ b/other-vpol/limit-hostpath-vols/limit-hostpath-vols.yaml @@ -30,9 +30,9 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] matchConditions: - - name: "has-host-path-volume" - expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))" + - name: "has-host-path-volume" + expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.hostPath))" validations: - - expression: "object.spec.volumes.all(volume, !has(volume.hostPath) || volume.hostPath.path.split('/')[1] == 'data')" - message: hostPath volumes are confined to /data. + - expression: "object.spec.volumes.all(volume, !has(volume.hostPath) || volume.hostPath.path.split('/')[1] == 'data')" + message: hostPath volumes are confined to /data. diff --git a/other-vpol/memory-requests-equal-limits/artifacthub-pkg.yml b/other-vpol/memory-requests-equal-limits/artifacthub-pkg.yml index 23045c5ba..12f30c34b 100644 --- a/other-vpol/memory-requests-equal-limits/artifacthub-pkg.yml +++ b/other-vpol/memory-requests-equal-limits/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 93d90517b9874cd1759f07ae88286291dd57a270623a51099a8a5b4c742f6f50 +digest: 36d4cefe4caa31ad7bc76b37090494de7a2926491d638aafa93168915072b955 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-vpol/memory-requests-equal-limits/memory-requests-equal-limits.yaml index cfa9a4ac2..9310f07cd 100644 --- a/other-vpol/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other-vpol/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -26,9 +26,9 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.spec.containers.all(container, - !container.?resources.?requests.?memory.hasValue() || - container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) - message: "resources.requests.memory must be equal to resources.limits.memory" + - expression: >- + object.spec.containers.all(container, + !container.?resources.?requests.?memory.hasValue() || + container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) + message: "resources.requests.memory must be equal to resources.limits.memory" diff --git a/other-vpol/metadata-match-regex/artifacthub-pkg.yml b/other-vpol/metadata-match-regex/artifacthub-pkg.yml index e83ef0382..89457c16c 100644 --- a/other-vpol/metadata-match-regex/artifacthub-pkg.yml +++ b/other-vpol/metadata-match-regex/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Label" -digest: 6b1e0f1aa8290f566e57e295240f7460b397ce664f67b0a35afe188e3ca217f7 +digest: 5cb0bdd387f91f119efb3f90854a789e8c91c8dd3b55827b60a20d01f39d757d createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/metadata-match-regex/metadata-match-regex.yaml b/other-vpol/metadata-match-regex/metadata-match-regex.yaml index 9062bfa46..bb1fe3258 100644 --- a/other-vpol/metadata-match-regex/metadata-match-regex.yaml +++ b/other-vpol/metadata-match-regex/metadata-match-regex.yaml @@ -27,8 +27,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.metadata.?labels[?'corp.org/version'].orValue('default').matches('^v[0-9].[0-9].[0-9]$') - message: >- - The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ + - expression: >- + object.metadata.?labels[?'corp.org/version'].orValue('default').matches('^v[0-9].[0-9].[0-9]$') + message: >- + The label `corp.org/version` is required and must match the specified regex: ^v[0-9].[0-9].[0-9]$ diff --git a/other-vpol/pdb-maxunavailable/artifacthub-pkg.yml b/other-vpol/pdb-maxunavailable/artifacthub-pkg.yml index 11bef4671..2bdf1ada2 100644 --- a/other-vpol/pdb-maxunavailable/artifacthub-pkg.yml +++ b/other-vpol/pdb-maxunavailable/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "PodDisruptionBudget" -digest: 16a67748d9c5afa933d7a21ed0cac0700a266044b980539773c2a53b67670db6 +digest: bfd3b4357a2dd202d818a9c89cd81060741393fe442a1730cbab37d802df1481 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/pdb-maxunavailable/pdb-maxunavailable.yaml b/other-vpol/pdb-maxunavailable/pdb-maxunavailable.yaml index a46392793..154fb97b0 100644 --- a/other-vpol/pdb-maxunavailable/pdb-maxunavailable.yaml +++ b/other-vpol/pdb-maxunavailable/pdb-maxunavailable.yaml @@ -26,6 +26,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["poddisruptionbudgets"] validations: - - expression: "int(object.spec.?maxUnavailable.orValue(1)) > 0" - message: "The value of maxUnavailable must be greater than zero." + - expression: "int(object.spec.?maxUnavailable.orValue(1)) > 0" + message: "The value of maxUnavailable must be greater than zero." diff --git a/other-vpol/prevent-bare-pods/artifacthub-pkg.yml b/other-vpol/prevent-bare-pods/artifacthub-pkg.yml index aacdfd703..8b7cae942 100644 --- a/other-vpol/prevent-bare-pods/artifacthub-pkg.yml +++ b/other-vpol/prevent-bare-pods/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 6c70f1c1bcb495cf4bd0de7c276da3e7184a99ca5a9f3ee7729619cbd49341e1 +digest: f5ede43b6c327796489c2d9b413ef96b31dcea607368ff651e57be79d5b3bee0 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/prevent-bare-pods/prevent-bare-pods.yaml b/other-vpol/prevent-bare-pods/prevent-bare-pods.yaml index 5725a4cf5..decfffb58 100644 --- a/other-vpol/prevent-bare-pods/prevent-bare-pods.yaml +++ b/other-vpol/prevent-bare-pods/prevent-bare-pods.yaml @@ -31,6 +31,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "'ownerReferences' in object.metadata" - message: "Bare Pods are not allowed. They must be created by Pod controllers." + - expression: "'ownerReferences' in object.metadata" + message: "Bare Pods are not allowed. They must be created by Pod controllers." diff --git a/other-vpol/prevent-cr8escape/artifacthub-pkg.yml b/other-vpol/prevent-cr8escape/artifacthub-pkg.yml index 9820a6188..14ea0ff65 100644 --- a/other-vpol/prevent-cr8escape/artifacthub-pkg.yml +++ b/other-vpol/prevent-cr8escape/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 229c161373d81f6e613010995793c4aab2715d232c53ad8f6a7db7a54adc58dc +digest: 4ccac2032a49b457efcbfdf9ce4f6134b945b44a2f39ad2c40dd187359a23df7 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/prevent-cr8escape/prevent-cr8escape.yaml b/other-vpol/prevent-cr8escape/prevent-cr8escape.yaml index 7ade157e2..60a85b88f 100644 --- a/other-vpol/prevent-cr8escape/prevent-cr8escape.yaml +++ b/other-vpol/prevent-cr8escape/prevent-cr8escape.yaml @@ -27,8 +27,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, - !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) - message: "characters '+' or '=' are not allowed in sysctls values" + - expression: >- + object.spec.?securityContext.?sysctls.orValue([]).all(sysctl, + !has(sysctl.value) || (!sysctl.value.contains('+') && !sysctl.value.contains('='))) + message: "characters '+' or '=' are not allowed in sysctls values" diff --git a/other-vpol/require-annotations/artifacthub-pkg.yml b/other-vpol/require-annotations/artifacthub-pkg.yml index bc26821da..74118e164 100644 --- a/other-vpol/require-annotations/artifacthub-pkg.yml +++ b/other-vpol/require-annotations/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Annotation" -digest: b817508f0b3380f689f21c86e2de2ddff16f818eceac74f7d0398f884a3b7f09 +digest: 6c01587f075a7e71c7fe887eb2edcd33685ee030347b3526ee1730cdca048356 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-annotations/require-annotations.yaml b/other-vpol/require-annotations/require-annotations.yaml index d3111dc8e..b3da179c3 100644 --- a/other-vpol/require-annotations/require-annotations.yaml +++ b/other-vpol/require-annotations/require-annotations.yaml @@ -27,7 +27,7 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.metadata.?annotations[?'corp.org/department'].orValue('') != '' - message: "The annotation `corp.org/department` is required." + - expression: >- + object.metadata.?annotations[?'corp.org/department'].orValue('') != '' + message: "The annotation `corp.org/department` is required." diff --git a/other-vpol/require-container-port-names/artifacthub-pkg.yml b/other-vpol/require-container-port-names/artifacthub-pkg.yml index 90db56449..60e36c9da 100644 --- a/other-vpol/require-container-port-names/artifacthub-pkg.yml +++ b/other-vpol/require-container-port-names/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 89ddb711716beb52d9d9e208ab8d7ecf1adecea9b2ba70e07cb4e75cd508deb1 +digest: f01d5e67f16c51ded869cb4a5b33adc54ac3794b898a46cfb5aa4500eb1a444b createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/require-container-port-names/require-container-port-names.yaml b/other-vpol/require-container-port-names/require-container-port-names.yaml index bf145f008..5d5d948d9 100644 --- a/other-vpol/require-container-port-names/require-container-port-names.yaml +++ b/other-vpol/require-container-port-names/require-container-port-names.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "object.spec.containers.all(container, container.?ports.orValue([]).all(port, has(port.name)))" - message: Name is required for every containerPort. + - expression: "object.spec.containers.all(container, container.?ports.orValue([]).all(port, has(port.name)))" + message: Name is required for every containerPort. diff --git a/other-vpol/require-deployments-have-multiple-replicas/artifacthub-pkg.yml b/other-vpol/require-deployments-have-multiple-replicas/artifacthub-pkg.yml index 01380f12e..2b643565b 100644 --- a/other-vpol/require-deployments-have-multiple-replicas/artifacthub-pkg.yml +++ b/other-vpol/require-deployments-have-multiple-replicas/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Deployment" -digest: 7454d199c2834bfb0bbe8704733ca21de768026c373dd4e074a554693c69547b +digest: 87c639ea203c26a74b81eb47757006cbbd540343ede5cd6ecc617b856a6532b6 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml b/other-vpol/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml index 247d77560..c502b0236 100644 --- a/other-vpol/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml +++ b/other-vpol/require-deployments-have-multiple-replicas/require-deployments-have-multiple-replicas.yaml @@ -26,6 +26,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["deployments"] validations: - - expression: "object.spec.replicas > 1" - message: "Deployments should have more than one replica to ensure availability." + - expression: "object.spec.replicas > 1" + message: "Deployments should have more than one replica to ensure availability." diff --git a/other-vpol/require-emptydir-requests-limits/artifacthub-pkg.yml b/other-vpol/require-emptydir-requests-limits/artifacthub-pkg.yml index 32f344867..a4a64dee0 100644 --- a/other-vpol/require-emptydir-requests-limits/artifacthub-pkg.yml +++ b/other-vpol/require-emptydir-requests-limits/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: d89b347f976cf3c76780c6255b6502d90efbed70ed72f5b2b04f4cd1152e4077 +digest: 7aef0435224cb1730b8c34bd783d872334bb12dbeb0a405b6ea3e45bd7766392 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml b/other-vpol/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml index 2ec749a36..374742ccc 100644 --- a/other-vpol/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml +++ b/other-vpol/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml @@ -28,20 +28,20 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] matchConditions: - - name: has-emptydir-volume - expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))" + - name: has-emptydir-volume + expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))" variables: - - name: containers - expression: "object.spec.containers + object.spec.?initContainers.orValue([])" - - name: emptydirnames - expression: >- - object.spec.volumes.orValue([]).filter(volume, has(volume.emptyDir) && !has(volume.emptyDir.sizeLimit)).map(volume, volume.name) + - name: containers + expression: "object.spec.containers + object.spec.?initContainers.orValue([])" + - name: emptydirnames + expression: >- + object.spec.volumes.orValue([]).filter(volume, has(volume.emptyDir) && !has(volume.emptyDir.sizeLimit)).map(volume, volume.name) validations: - - expression: >- - variables.containers.all(container, - !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || - container.resources.?requests[?'ephemeral-storage'].hasValue() && - container.resources.?limits[?'ephemeral-storage'].hasValue()) - message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage. + - expression: >- + variables.containers.all(container, + !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || + container.resources.?requests[?'ephemeral-storage'].hasValue() && + container.resources.?limits[?'ephemeral-storage'].hasValue()) + message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage. diff --git a/other-vpol/require-image-checksum/artifacthub-pkg.yml b/other-vpol/require-image-checksum/artifacthub-pkg.yml index ded50795d..886b76107 100644 --- a/other-vpol/require-image-checksum/artifacthub-pkg.yml +++ b/other-vpol/require-image-checksum/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 06a066e144ca471598c7206c4744e5e6a83be026a67c768ec6d383742cf26755 +digest: 8ada9e6310cbfce82f3bc9e0013778d1c0dfacf2264a1ae29063b8ca860b2612 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-image-checksum/require-image-checksum.yaml b/other-vpol/require-image-checksum/require-image-checksum.yaml index a8911d791..542dcea84 100644 --- a/other-vpol/require-image-checksum/require-image-checksum.yaml +++ b/other-vpol/require-image-checksum/require-image-checksum.yaml @@ -26,6 +26,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "object.spec.containers.all(container, container.image.contains('@'))" - message: "Images must use checksums rather than tags." + - expression: "object.spec.containers.all(container, container.image.contains('@'))" + message: "Images must use checksums rather than tags." diff --git a/other-vpol/require-ingress-https/artifacthub-pkg.yml b/other-vpol/require-ingress-https/artifacthub-pkg.yml index c2fbfbfb3..83c7007d4 100644 --- a/other-vpol/require-ingress-https/artifacthub-pkg.yml +++ b/other-vpol/require-ingress-https/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Ingress" -digest: 35fc81725d910903647574b0d1b4866bdc36365707f9e54c9534cb57c0dfd7a5 +digest: f376bd565b0df4c1e9c82264a5396d6aea866fc72b1ab123214e751b326077bc createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-ingress-https/require-ingress-https.yaml b/other-vpol/require-ingress-https/require-ingress-https.yaml index e700cf96b..fd3b77c5e 100644 --- a/other-vpol/require-ingress-https/require-ingress-https.yaml +++ b/other-vpol/require-ingress-https/require-ingress-https.yaml @@ -27,10 +27,9 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] validations: - - expression: >- - object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false' - message: "The kubernetes.io/ingress.allow-http annotation must be set to false." - - - expression: "has(object.spec.tls)" - message: "TLS must be defined." + - expression: >- + object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false' + message: "The kubernetes.io/ingress.allow-http annotation must be set to false." + - expression: "has(object.spec.tls)" + message: "TLS must be defined." diff --git a/other-vpol/require-pod-priorityclassname/artifacthub-pkg.yml b/other-vpol/require-pod-priorityclassname/artifacthub-pkg.yml index 4a253bd02..650185467 100644 --- a/other-vpol/require-pod-priorityclassname/artifacthub-pkg.yml +++ b/other-vpol/require-pod-priorityclassname/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Multi-Tenancy, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 835716aad2c96d14b8917e9f2c3a2a2dec0cbda3ab52ae1b553a040abd15b155 +digest: aa225b636f6c9bac717de71269f8cc2c72865f83e529030baa25b4f69cc43795 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-pod-priorityclassname/require-pod-priorityclassname.yaml b/other-vpol/require-pod-priorityclassname/require-pod-priorityclassname.yaml index 1b5a86e96..88fcd9229 100644 --- a/other-vpol/require-pod-priorityclassname/require-pod-priorityclassname.yaml +++ b/other-vpol/require-pod-priorityclassname/require-pod-priorityclassname.yaml @@ -29,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "object.spec.?priorityClassName.orValue('') != ''" - message: "Pods must define the priorityClassName field." + - expression: "object.spec.?priorityClassName.orValue('') != ''" + message: "Pods must define the priorityClassName field." diff --git a/other-vpol/require-qos-burstable/artifacthub-pkg.yml b/other-vpol/require-qos-burstable/artifacthub-pkg.yml index da57a4e6c..203611b1c 100644 --- a/other-vpol/require-qos-burstable/artifacthub-pkg.yml +++ b/other-vpol/require-qos-burstable/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other, Multi-Tenancy in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 10a5cedab0b823df1ce582323d29fdf0052d840e2ceedb9b9bc75c8637d4425c +digest: 8f2971bcea079f0a3966a498f37bf658955c2dc59e4c3c0769d1e3e83ac8f510 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-qos-burstable/require-qos-burstable.yaml b/other-vpol/require-qos-burstable/require-qos-burstable.yaml index e2a8e7a0a..566b4a5f5 100644 --- a/other-vpol/require-qos-burstable/require-qos-burstable.yaml +++ b/other-vpol/require-qos-burstable/require-qos-burstable.yaml @@ -23,7 +23,6 @@ spec: evaluation: background: enabled: true - matchConstraints: resourceRules: - apiGroups: [""] @@ -31,8 +30,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.spec.containers.exists(container, - has(container.resources) && (has(container.resources.requests) || has(container.resources.limits))) - message: "At least one container in the Pod must define either requests or limits for either CPU or memory." + - expression: >- + object.spec.containers.exists(container, + has(container.resources) && (has(container.resources.requests) || has(container.resources.limits))) + message: "At least one container in the Pod must define either requests or limits for either CPU or memory." diff --git a/other-vpol/require-qos-guaranteed/artifacthub-pkg.yml b/other-vpol/require-qos-guaranteed/artifacthub-pkg.yml index b9bfa2c37..d0bc33331 100644 --- a/other-vpol/require-qos-guaranteed/artifacthub-pkg.yml +++ b/other-vpol/require-qos-guaranteed/artifacthub-pkg.yml @@ -20,6 +20,6 @@ annotations: kyverno/category: "Other, Multi-Tenancy in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 6bad5fba1794294386b962fab2dd9e52a579ff53fc4a51d31fb21d5b13800de6 +digest: 175a5a5cea8e5443f2cf9a808b4383d2db74230dbd3496ea266852ac902094c8 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-qos-guaranteed/require-qos-guaranteed.yaml b/other-vpol/require-qos-guaranteed/require-qos-guaranteed.yaml index 37f8c6db1..5c6c6d977 100644 --- a/other-vpol/require-qos-guaranteed/require-qos-guaranteed.yaml +++ b/other-vpol/require-qos-guaranteed/require-qos-guaranteed.yaml @@ -31,14 +31,14 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - object.spec.containers.all(container, - has(container.resources) && - container.resources.?requests.orValue({}).?cpu.hasValue() && - container.resources.?requests.orValue({}).?memory.hasValue() && - container.resources.?limits.orValue({}).?cpu.hasValue() && - container.resources.?limits.orValue({}).?memory.hasValue() && - container.resources.requests.orValue({}).cpu == container.resources.limits.orValue({}).cpu && - container.resources.requests.orValue({}).memory == container.resources.limits.orValue({}).memory) - message: "All containers must define memory and CPU requests and limits where they are equal." + - expression: >- + object.spec.containers.all(container, + has(container.resources) && + container.resources.?requests.orValue({}).?cpu.hasValue() && + container.resources.?requests.orValue({}).?memory.hasValue() && + container.resources.?limits.orValue({}).?cpu.hasValue() && + container.resources.?limits.orValue({}).?memory.hasValue() && + container.resources.requests.orValue({}).cpu == container.resources.limits.orValue({}).cpu && + container.resources.requests.orValue({}).memory == container.resources.limits.orValue({}).memory) + message: "All containers must define memory and CPU requests and limits where they are equal." diff --git a/other-vpol/require-storageclass/artifacthub-pkg.yml b/other-vpol/require-storageclass/artifacthub-pkg.yml index d3a5eded2..7b4b6efb1 100644 --- a/other-vpol/require-storageclass/artifacthub-pkg.yml +++ b/other-vpol/require-storageclass/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other, Multi-Tenancy in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "PersistentVolumeClaim, StatefulSet" -digest: 45dce22b4055bae63bacdd78dbcb7884620a215d39bbfc695150b4459627c010 +digest: f70e21e5a74441f1921e9547cfd7a86d236eb6c9dd9f19ade87b1610dfb118b9 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/require-storageclass/require-storageclass.yaml b/other-vpol/require-storageclass/require-storageclass.yaml index 33508735d..f1a15ebb2 100644 --- a/other-vpol/require-storageclass/require-storageclass.yaml +++ b/other-vpol/require-storageclass/require-storageclass.yaml @@ -32,11 +32,11 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["statefulsets"] validations: - - expression: >- - object.kind == 'PersistentVolumeClaim' ? - object.spec.?storageClassName.orValue('') != '' : - object.spec.?volumeClaimTemplates.orValue([]).all(volumeClaimTemplate, - volumeClaimTemplate.spec.?storageClassName.orValue('') != '') - message: >- - "Storage class name is required: PersistentVolumeClaims must have a non-empty storageClassName, - and StatefulSets must define a non-empty storageClassName for all volumeClaimTemplates." \ No newline at end of file + - expression: >- + object.kind == 'PersistentVolumeClaim' ? + object.spec.?storageClassName.orValue('') != '' : + object.spec.?volumeClaimTemplates.orValue([]).all(volumeClaimTemplate, + volumeClaimTemplate.spec.?storageClassName.orValue('') != '') + message: >- + "Storage class name is required: PersistentVolumeClaims must have a non-empty storageClassName, + and StatefulSets must define a non-empty storageClassName for all volumeClaimTemplates." \ No newline at end of file diff --git a/other-vpol/restrict-annotations/artifacthub-pkg.yml b/other-vpol/restrict-annotations/artifacthub-pkg.yml index b1db48633..5d94a508f 100644 --- a/other-vpol/restrict-annotations/artifacthub-pkg.yml +++ b/other-vpol/restrict-annotations/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Annotation" -digest: 35e14e85537017e137930237bab74a020285141c01debc133fa19f5fa24edb47 +digest: bcab17b257477d511f49cbe8fc9a769fca5dbd4f391a7cd8ab063540aa3cde22 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-annotations/restrict-annotations.yaml b/other-vpol/restrict-annotations/restrict-annotations.yaml index 8019df0a3..8ddb93dd1 100644 --- a/other-vpol/restrict-annotations/restrict-annotations.yaml +++ b/other-vpol/restrict-annotations/restrict-annotations.yaml @@ -37,6 +37,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["cronjobs", "jobs"] validations: - - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.startsWith('fluxcd.io/'))" - message: Cannot use Flux v1 annotation. + - expression: "!object.metadata.?annotations.orValue([]).exists(annotation, annotation.startsWith('fluxcd.io/'))" + message: Cannot use Flux v1 annotation. diff --git a/other-vpol/restrict-binding-clusteradmin/artifacthub-pkg.yml b/other-vpol/restrict-binding-clusteradmin/artifacthub-pkg.yml index 676d01c11..1f54316ea 100644 --- a/other-vpol/restrict-binding-clusteradmin/artifacthub-pkg.yml +++ b/other-vpol/restrict-binding-clusteradmin/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Security in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 7a7399531048742bdad8734d0d10c3e2f11a30a5b8e81cdc49f17d1e07b0ce9a +digest: ca27d2048323e386405077bdcbe97322ffffdca4a58ee780e266f56e940a3c4f createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml b/other-vpol/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml index 8769dbb60..061edc5b3 100644 --- a/other-vpol/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml +++ b/other-vpol/restrict-binding-clusteradmin/restrict-binding-clusteradmin.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["rolebindings", "clusterrolebindings"] validations: - - expression: "object.roleRef.name != 'cluster-admin'" - message: "Binding to cluster-admin is not allowed." + - expression: "object.roleRef.name != 'cluster-admin'" + message: "Binding to cluster-admin is not allowed." diff --git a/other-vpol/restrict-binding-system-groups/artifacthub-pkg.yml b/other-vpol/restrict-binding-system-groups/artifacthub-pkg.yml index 5ba619dd6..7f448e712 100644 --- a/other-vpol/restrict-binding-system-groups/artifacthub-pkg.yml +++ b/other-vpol/restrict-binding-system-groups/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Security, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "RoleBinding, ClusterRoleBinding, RBAC" -digest: 0bccdbf14c2c1a65d9a4ad38cda7581921264b923a1c35365d7c5b6f83590bae +digest: 9696b546b9c1be6ce7b87ea664d07a74d730a8267af028a1187b98814806ba3b createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-binding-system-groups/restrict-binding-system-groups.yaml b/other-vpol/restrict-binding-system-groups/restrict-binding-system-groups.yaml index 6f05c9034..ac62cbaa5 100644 --- a/other-vpol/restrict-binding-system-groups/restrict-binding-system-groups.yaml +++ b/other-vpol/restrict-binding-system-groups/restrict-binding-system-groups.yaml @@ -28,10 +28,10 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["rolebindings", "clusterrolebindings"] validations: - - expression: "object.subjects.all(subject, subject.name != 'system:anonymous')" - message: "Binding to system:anonymous is not allowed." - - expression: "object.subjects.all(subject, subject.name != 'system:unauthenticated')" - message: "Binding to system:unauthenticated is not allowed." - - expression: "object.subjects.all(subject, subject.name != 'system:masters')" - message: "Binding to system:masters is not allowed." + - expression: "object.subjects.all(subject, subject.name != 'system:anonymous')" + message: "Binding to system:anonymous is not allowed." + - expression: "object.subjects.all(subject, subject.name != 'system:unauthenticated')" + message: "Binding to system:unauthenticated is not allowed." + - expression: "object.subjects.all(subject, subject.name != 'system:masters')" + message: "Binding to system:masters is not allowed." diff --git a/other-vpol/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml b/other-vpol/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml index b74c48b19..6b1a42f25 100644 --- a/other-vpol/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml +++ b/other-vpol/restrict-clusterrole-nodesproxy/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "ClusterRole, RBAC" -digest: 7a8e6b1a4e6c03fa3af7069f31a00874fcb93da5b2d13684978e89a4123bb514 +digest: b686a5c559918a918a61a7c744e29e09e8e4b363c32e0430d7faf1c51007ee1b createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml b/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml index 0f0fe16e4..d247c31e5 100644 --- a/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml +++ b/other-vpol/restrict-clusterrole-nodesproxy/restrict-clusterrole-nodesproxy.yaml @@ -30,10 +30,10 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["clusterroles"] validations: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - rule.resources.exists(resource, resource == 'nodes/proxy') && - rule.apiGroups.exists(apiGroup, apiGroup == '')) - message: "A ClusterRole containing the nodes/proxy resource is not allowed." + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.resources.exists(resource, resource == 'nodes/proxy') && + rule.apiGroups.exists(apiGroup, apiGroup == '')) + message: "A ClusterRole containing the nodes/proxy resource is not allowed." diff --git a/other-vpol/restrict-controlplane-scheduling/artifacthub-pkg.yml b/other-vpol/restrict-controlplane-scheduling/artifacthub-pkg.yml index 4958f891e..73212a1c8 100644 --- a/other-vpol/restrict-controlplane-scheduling/artifacthub-pkg.yml +++ b/other-vpol/restrict-controlplane-scheduling/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 758886fef34ef14833a532bda4f325134e55349151222ea3cab29f2db36402b2 +digest: 4a562382ee0095f449a1f7443bae20a7dbf88a9fdd0157b0db7c7625df2b0533 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml b/other-vpol/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml index 724b130cc..c6cd86b01 100644 --- a/other-vpol/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml +++ b/other-vpol/restrict-controlplane-scheduling/restrict-controlplane-scheduling.yaml @@ -27,8 +27,8 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: >- - !has(object.spec.tolerations) || - !object.spec.tolerations.exists(toleration, toleration.?key.orValue('') in ['node-role.kubernetes.io/master', 'node-role.kubernetes.io/control-plane']) - message: Pods may not use tolerations which schedule on control plane nodes. + - expression: >- + !has(object.spec.tolerations) || + !object.spec.tolerations.exists(toleration, toleration.?key.orValue('') in ['node-role.kubernetes.io/master', 'node-role.kubernetes.io/control-plane']) + message: Pods may not use tolerations which schedule on control plane nodes. diff --git a/other-vpol/restrict-deprecated-registry/artifacthub-pkg.yml b/other-vpol/restrict-deprecated-registry/artifacthub-pkg.yml index 4a235daca..c8beb93d4 100644 --- a/other-vpol/restrict-deprecated-registry/artifacthub-pkg.yml +++ b/other-vpol/restrict-deprecated-registry/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Best Practices, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.27-1.28" kyverno/subject: "Pod" -digest: 7d7f8642b9631b67ff4d064afd001bf7ece580b12d6c39e20b69d2fb6d1c9e19 +digest: fe5d0ce2e47c44cc406ddba59b0b59184d304902e228c7093bdae4d359799985 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-deprecated-registry/restrict-deprecated-registry.yaml b/other-vpol/restrict-deprecated-registry/restrict-deprecated-registry.yaml index fbe4a16c5..b14cdb69d 100644 --- a/other-vpol/restrict-deprecated-registry/restrict-deprecated-registry.yaml +++ b/other-vpol/restrict-deprecated-registry/restrict-deprecated-registry.yaml @@ -20,7 +20,6 @@ spec: evaluation: background: enabled: true - matchConstraints: resourceRules: - apiGroups: [""] @@ -28,9 +27,9 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + - name: allContainers + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" validations: - - expression: "variables.allContainers.all(container, !container.image.startsWith('k8s.gcr.io/'))" - message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used." + - expression: "variables.allContainers.all(container, !container.image.startsWith('k8s.gcr.io/'))" + message: "The \"k8s.gcr.io\" image registry is deprecated. \"registry.k8s.io\" should now be used." diff --git a/other-vpol/restrict-edit-for-endpoints/artifacthub-pkg.yml b/other-vpol/restrict-edit-for-endpoints/artifacthub-pkg.yml index f18bb6163..57970519d 100644 --- a/other-vpol/restrict-edit-for-endpoints/artifacthub-pkg.yml +++ b/other-vpol/restrict-edit-for-endpoints/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Security in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "ClusterRole" -digest: 4fb03c3cd216334f03890a7e26a7b2044901d71e61d703cabdcab7668d6b96c4 +digest: 4501fc696db216e18a0aee77db2172794958cc485c46073b5fc3b3e5b9fe29db createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml b/other-vpol/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml index a60332b7c..9d99c174b 100644 --- a/other-vpol/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml +++ b/other-vpol/restrict-edit-for-endpoints/restrict-edit-for-endpoints.yaml @@ -31,8 +31,8 @@ spec: resources: ["clusterroles"] resourceNames: ["system:aggregate-to-edit"] validations: - - expression: "!object.rules.exists(rule, 'endpoints' in rule.resources && 'edit' in rule.verbs)" - message: >- - This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole - should not have edit permission over Endpoints. + - expression: "!object.rules.exists(rule, 'endpoints' in rule.resources && 'edit' in rule.verbs)" + message: >- + This cluster may still be vulnerable to CVE-2021-25740. The system:aggregate-to-edit ClusterRole + should not have edit permission over Endpoints. diff --git a/other-vpol/restrict-escalation-verbs-roles/artifacthub-pkg.yml b/other-vpol/restrict-escalation-verbs-roles/artifacthub-pkg.yml index fbd9d451c..b2340b7f7 100644 --- a/other-vpol/restrict-escalation-verbs-roles/artifacthub-pkg.yml +++ b/other-vpol/restrict-escalation-verbs-roles/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Security in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Role, ClusterRole, RBAC" -digest: 7c7efe9c9f72e2419fa6c4225a69fc6eb861674228e4bbe00ba7ebde6b997992 +digest: a26cb647dab19f806b82f72d9fae59217f2a88d53a8f637fc723aa9551628733 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml b/other-vpol/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml index 35d72ae9b..d6faed5c9 100644 --- a/other-vpol/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml +++ b/other-vpol/restrict-escalation-verbs-roles/restrict-escalation-verbs-roles.yaml @@ -27,18 +27,18 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["roles", "clusterroles"] variables: - - name: apiGroups - expression: "['*', 'rbac.authorization.k8s.io']" - - name: resources - expression: "['*', 'clusterroles', 'roles']" - - name: verbs - expression: "['*', 'bind', 'escalate', 'impersonate']" + - name: apiGroups + expression: "['*', 'rbac.authorization.k8s.io']" + - name: resources + expression: "['*', 'clusterroles', 'roles']" + - name: verbs + expression: "['*', 'bind', 'escalate', 'impersonate']" validations: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - rule.apiGroups.exists(apiGroup, apiGroup in variables.apiGroups) && - rule.resources.exists(resource, resource in variables.resources) && - rule.verbs.exists(verb, verb in variables.verbs)) - message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." + - expression: >- + object.rules == null || + !object.rules.exists(rule, + rule.apiGroups.exists(apiGroup, apiGroup in variables.apiGroups) && + rule.resources.exists(resource, resource in variables.resources) && + rule.verbs.exists(verb, verb in variables.verbs)) + message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden." diff --git a/other-vpol/restrict-ingress-classes/artifacthub-pkg.yml b/other-vpol/restrict-ingress-classes/artifacthub-pkg.yml index 3fb402aba..12c2e072a 100644 --- a/other-vpol/restrict-ingress-classes/artifacthub-pkg.yml +++ b/other-vpol/restrict-ingress-classes/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Ingress" -digest: edd0498d83079b95dc38fba221362ade1a35ea7e7d528801794640501b407414 +digest: 6a137548f57074c56ca1bdb9ea475a83b3ecf984c518b3edf97a686861a2fdbf createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-ingress-classes/restrict-ingress-classes.yaml b/other-vpol/restrict-ingress-classes/restrict-ingress-classes.yaml index 4eca3b748..c9ba647e1 100644 --- a/other-vpol/restrict-ingress-classes/restrict-ingress-classes.yaml +++ b/other-vpol/restrict-ingress-classes/restrict-ingress-classes.yaml @@ -29,7 +29,7 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] validations: - - expression: >- - object.metadata.?annotations[?'kubernetes.io/ingress.class'].orValue('') in ['HAProxy', 'nginx'] - message: "Unknown ingress class." + - expression: >- + object.metadata.?annotations[?'kubernetes.io/ingress.class'].orValue('') in ['HAProxy', 'nginx'] + message: "Unknown ingress class." diff --git a/other-vpol/restrict-ingress-defaultbackend/artifacthub-pkg.yml b/other-vpol/restrict-ingress-defaultbackend/artifacthub-pkg.yml index 1522fb283..eeb794a5c 100644 --- a/other-vpol/restrict-ingress-defaultbackend/artifacthub-pkg.yml +++ b/other-vpol/restrict-ingress-defaultbackend/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Ingress" -digest: d4a2811e5cf868549c8f72307f41bd2404cbecb554ee531eb9a13282de5df254 +digest: d01778e39cf50535a5d7cf01bcebd1e251d0d2dc05f47ccacd000edabd88f387 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml b/other-vpol/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml index 1b5c77210..c6838a05c 100644 --- a/other-vpol/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml +++ b/other-vpol/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml @@ -30,6 +30,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] validations: - - expression: "!has(object.spec.defaultBackend)" - message: Setting the defaultBackend field is prohibited. + - expression: "!has(object.spec.defaultBackend)" + message: Setting the defaultBackend field is prohibited. diff --git a/other-vpol/restrict-ingress-wildcard/artifacthub-pkg.yml b/other-vpol/restrict-ingress-wildcard/artifacthub-pkg.yml index 509ceefae..be37bc520 100644 --- a/other-vpol/restrict-ingress-wildcard/artifacthub-pkg.yml +++ b/other-vpol/restrict-ingress-wildcard/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Ingress" -digest: 1e0515be7a58f18fb6326a5db26e7084bdc6012f391916122601c38a4bc032df +digest: ae23cf7c35e7053d9d4c64289011f82beac0a239d0fd45a65040b1b2f619ce8a createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml b/other-vpol/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml index 3335df8cb..2f74450fc 100644 --- a/other-vpol/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml +++ b/other-vpol/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml @@ -29,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] validations: - - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))" - message: "Wildcards are not permitted as hosts." + - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))" + message: "Wildcards are not permitted as hosts." diff --git a/other-vpol/restrict-jobs/artifacthub-pkg.yml b/other-vpol/restrict-jobs/artifacthub-pkg.yml index f39c1ccf0..7d9ea5882 100644 --- a/other-vpol/restrict-jobs/artifacthub-pkg.yml +++ b/other-vpol/restrict-jobs/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Job" -digest: 6fa9178a19b4f07127d80069bdd4c789be0e699e9dee41383e1616f93f926221 +digest: df2f56da0dfb1d6210ddc231792bcb3498c291edaeafe8ac7ca475c8071303fc createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-jobs/restrict-jobs.yaml b/other-vpol/restrict-jobs/restrict-jobs.yaml index 060270478..bcf910b32 100644 --- a/other-vpol/restrict-jobs/restrict-jobs.yaml +++ b/other-vpol/restrict-jobs/restrict-jobs.yaml @@ -22,9 +22,9 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["jobs"] matchConditions: - - name: "not-created-by-cronjob" - expression: "!has(object.metadata.ownerReferences) || object.metadata.ownerReferences[0].kind != 'CronJob'" + - name: "not-created-by-cronjob" + expression: "!has(object.metadata.ownerReferences) || object.metadata.ownerReferences[0].kind != 'CronJob'" validations: - - expression: "false" - message: Jobs are only allowed if spawned from CronJobs. + - expression: "false" + message: Jobs are only allowed if spawned from CronJobs. diff --git a/other-vpol/restrict-loadbalancer/artifacthub-pkg.yml b/other-vpol/restrict-loadbalancer/artifacthub-pkg.yml index de9efbb5f..6e2ef241c 100644 --- a/other-vpol/restrict-loadbalancer/artifacthub-pkg.yml +++ b/other-vpol/restrict-loadbalancer/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Service" -digest: ae950b0d9cbd1a7ce04305dc1bbfbe157564951b8f276c1f5a6eb59ec07d97a8 +digest: e6e40094dc8d2595f31af3bb63f5c53d2bae790d3ac3d3023283e5d599b4ff67 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-loadbalancer/restrict-loadbalancer.yaml b/other-vpol/restrict-loadbalancer/restrict-loadbalancer.yaml index b097b41b8..1842cde89 100644 --- a/other-vpol/restrict-loadbalancer/restrict-loadbalancer.yaml +++ b/other-vpol/restrict-loadbalancer/restrict-loadbalancer.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["services"] validations: - - expression: "object.spec.type != 'LoadBalancer'" - message: "Service of type LoadBalancer is not allowed." + - expression: "object.spec.type != 'LoadBalancer'" + message: "Service of type LoadBalancer is not allowed." diff --git a/other-vpol/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml b/other-vpol/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml index 4ddbc5e0c..017b8291f 100644 --- a/other-vpol/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml +++ b/other-vpol/restrict-networkpolicy-empty-podselector/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other, Multi-Tenancy in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "NetworkPolicy" -digest: 5c4d0e220a4a8e4759dde9bdabb355232005a531fd10842ff0a1f158b93f73c1 +digest: 651400131dcd861efba8af8511b15b1d8e7e4318f7b36ea0f631fb3546d50885 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml b/other-vpol/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml index e2c27ef63..30389253c 100644 --- a/other-vpol/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml +++ b/other-vpol/restrict-networkpolicy-empty-podselector/restrict-networkpolicy-empty-podselector.yaml @@ -20,7 +20,6 @@ spec: evaluation: background: enabled: true - matchConstraints: resourceRules: - apiGroups: ["networking.k8s.io"] @@ -34,6 +33,6 @@ spec: resources: ["networkpolicies"] resourceNames: ["default-deny"] validations: - - expression: "size(object.spec.podSelector) != 0" - message: "NetworkPolicies must not use an empty podSelector." + - expression: "size(object.spec.podSelector) != 0" + message: "NetworkPolicies must not use an empty podSelector." diff --git a/other-vpol/restrict-node-affinity/artifacthub-pkg.yml b/other-vpol/restrict-node-affinity/artifacthub-pkg.yml index b83a95e56..835234abf 100644 --- a/other-vpol/restrict-node-affinity/artifacthub-pkg.yml +++ b/other-vpol/restrict-node-affinity/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 09f5fd4a8a42468aabac6d7145c280e626dcd5a10a6343811382fdf6c4f08b89 +digest: bb250f711b431ddcf7e0a5381b7d736f030573bd762a4e0e78ac79b13086c446 createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-node-affinity/restrict-node-affinity.yaml b/other-vpol/restrict-node-affinity/restrict-node-affinity.yaml index 1c7b0bc9b..5b35accbb 100644 --- a/other-vpol/restrict-node-affinity/restrict-node-affinity.yaml +++ b/other-vpol/restrict-node-affinity/restrict-node-affinity.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "!object.spec.?affinity.?nodeAffinity.hasValue()" - message: "Node affinity cannot be used." + - expression: "!object.spec.?affinity.?nodeAffinity.hasValue()" + message: "Node affinity cannot be used." diff --git a/other-vpol/restrict-node-label-creation/artifacthub-pkg.yml b/other-vpol/restrict-node-label-creation/artifacthub-pkg.yml index 0554a0604..6f50cbc96 100644 --- a/other-vpol/restrict-node-label-creation/artifacthub-pkg.yml +++ b/other-vpol/restrict-node-label-creation/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Node, Label" -digest: dec4a221f51228f1a93243036047bf35ffc30338398e7429095777e7afc173ee +digest: ffd972b2c46df31a9d600c82474576284ac991b409993600d8d2e1ea37be9f8a createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-node-label-creation/restrict-node-label-creation.yaml b/other-vpol/restrict-node-label-creation/restrict-node-label-creation.yaml index 97d813e47..085785d95 100644 --- a/other-vpol/restrict-node-label-creation/restrict-node-label-creation.yaml +++ b/other-vpol/restrict-node-label-creation/restrict-node-label-creation.yaml @@ -29,11 +29,11 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["nodes"] matchConditions: - - name: "operation-should-be-update" - expression: "request.operation == 'UPDATE'" - - name: "has-foo-label" - expression: "object.metadata.?labels.?foo.hasValue()" + - name: "operation-should-be-update" + expression: "request.operation == 'UPDATE'" + - name: "has-foo-label" + expression: "object.metadata.?labels.?foo.hasValue()" validations: - - expression: "false" - message: "Setting the `foo` label on a Node is not allowed." + - expression: "false" + message: "Setting the `foo` label on a Node is not allowed." diff --git a/other-vpol/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml b/other-vpol/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml index 7d662dd59..7e98f0c4d 100644 --- a/other-vpol/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml +++ b/other-vpol/restrict-pod-controller-serviceaccount-updates/artifacthub-pkg.yml @@ -19,6 +19,6 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 45baa6d034709308869974c65090c2cc1f241f61799644a256c0cf18e79be18d +digest: 0da6e8e6111f1a4da3b4babf2d451082c5cd7f2349418615bf986701020dd163 createdAt: "2025-05-11T17:46:10Z" diff --git a/other-vpol/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml b/other-vpol/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml index 96a836fdb..261055207 100644 --- a/other-vpol/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml +++ b/other-vpol/restrict-pod-controller-serviceaccount-updates/restrict-pod-controller-serviceaccount-updates.yaml @@ -35,5 +35,4 @@ spec: - expression: >- object.spec.template.?spec.?serviceAccountName.orValue('') == oldObject.spec.template.?spec.?serviceAccountName.orValue('') || object.spec.jobTemplate.?spec.?template.?spec.?serviceAccountName.orValue('') == oldObject.spec.jobTemplate.?spec.?template.?spec.?serviceAccountName.orValue('') - message: "The serviceAccountName field may not be changed once created." \ No newline at end of file diff --git a/other-vpol/restrict-sa-automount-sa-token/artifacthub-pkg.yml b/other-vpol/restrict-sa-automount-sa-token/artifacthub-pkg.yml index 6728aad7f..8c588c272 100644 --- a/other-vpol/restrict-sa-automount-sa-token/artifacthub-pkg.yml +++ b/other-vpol/restrict-sa-automount-sa-token/artifacthub-pkg.yml @@ -27,7 +27,7 @@ annotations: kyverno/category: "Security in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "ServiceAccount" -digest: 3b8805e4dd8285776ea73689cb699167606164ead65a930b1f757c5ab5f35ea0 +digest: 079c37b81020edfdd7f314bab8dca96793d7c0367652b05206b9244443c786b7 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml b/other-vpol/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml index 5551e195d..561d5b1df 100644 --- a/other-vpol/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml +++ b/other-vpol/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token.yaml @@ -28,6 +28,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["serviceaccounts"] validations: - - expression: "object.?automountServiceAccountToken.orValue(true) == false" - message: "ServiceAccounts must set automountServiceAccountToken to false." + - expression: "object.?automountServiceAccountToken.orValue(true) == false" + message: "ServiceAccounts must set automountServiceAccountToken to false." diff --git a/other-vpol/restrict-secret-role-verbs/artifacthub-pkg.yml b/other-vpol/restrict-secret-role-verbs/artifacthub-pkg.yml index 92d150198..9faf73ed7 100644 --- a/other-vpol/restrict-secret-role-verbs/artifacthub-pkg.yml +++ b/other-vpol/restrict-secret-role-verbs/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Security in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Role, ClusterRole, RBAC" -digest: 300ea61fa8070edcc69faf1bc316c335fdbf36b00af7740a089cb99196325a64 +digest: 4cc686aa39e12082c230f81eeb1d8971fa814a3c3a4d1a8a5d9c16fe72ee2dbe createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml b/other-vpol/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml index 13d7d2f03..32dfd6f02 100644 --- a/other-vpol/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml +++ b/other-vpol/restrict-secret-role-verbs/restrict-secret-role-verbs.yaml @@ -24,18 +24,18 @@ spec: background: enabled: true matchConstraints: - resourceRules: - - apiGroups: ["rbac.authorization.k8s.io"] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["roles", "clusterroles"] + resourceRules: + - apiGroups: ["rbac.authorization.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["roles", "clusterroles"] variables: - - name: forbiddenVerbs - expression: "['get','list','watch']" + - name: forbiddenVerbs + expression: "['get','list','watch']" validations: - - expression: >- - object.rules == null || - !object.rules.exists(rule, - 'secrets' in rule.resources && rule.verbs.exists(verb, verb in variables.forbiddenVerbs)) - message: "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden." + - expression: >- + object.rules == null || + !object.rules.exists(rule, + 'secrets' in rule.resources && rule.verbs.exists(verb, verb in variables.forbiddenVerbs)) + message: "Requesting verbs `get`, `list`, or `watch` on Secrets is forbidden." diff --git a/other-vpol/restrict-secrets-by-name/artifacthub-pkg.yml b/other-vpol/restrict-secrets-by-name/artifacthub-pkg.yml index 8fde1ecd4..3c62cbedf 100644 --- a/other-vpol/restrict-secrets-by-name/artifacthub-pkg.yml +++ b/other-vpol/restrict-secrets-by-name/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod, Secret" -digest: 77fe4e33673b6ccc2bfd4f464f7e111426381f4f1950f61ee0b3d35df02082c3 +digest: b578fe5041e7b2102d9ea62ac26cb5be40ed113243b50d9bfd914cc5b5f7e27d createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-secrets-by-name/restrict-secrets-by-name.yaml b/other-vpol/restrict-secrets-by-name/restrict-secrets-by-name.yaml index 3d35a2026..e502eb391 100644 --- a/other-vpol/restrict-secrets-by-name/restrict-secrets-by-name.yaml +++ b/other-vpol/restrict-secrets-by-name/restrict-secrets-by-name.yaml @@ -29,23 +29,23 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] variables: - - name: allc - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" - - name: allContainers - expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + - name: allc + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" + - name: allContainers + expression: "object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])" validations: - - expression: >- - variables.allContainers.all(container, - container.?env.orValue([]).all(env, - env.?valueFrom.?secretKeyRef.?name.orValue('safe-').startsWith("safe-"))) - message: "Only Secrets beginning with `safe-` may be consumed in env statements." - - expression: >- - variables.allc.all(container, - container.?envFrom.orValue([]).all(env, - env.?secretRef.?name.orValue('safe-').startsWith("safe-"))) - message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements." - - expression: >- - object.spec.?volumes.orValue([]).all(volume, - volume.?secret.?secretName.orValue('safe-').startsWith("safe-")) - message: "Only Secrets beginning with `safe-` may be consumed in volumes." + - expression: >- + variables.allContainers.all(container, + container.?env.orValue([]).all(env, + env.?valueFrom.?secretKeyRef.?name.orValue('safe-').startsWith("safe-"))) + message: "Only Secrets beginning with `safe-` may be consumed in env statements." + - expression: >- + variables.allc.all(container, + container.?envFrom.orValue([]).all(env, + env.?secretRef.?name.orValue('safe-').startsWith("safe-"))) + message: "Only Secrets beginning with `safe-` may be consumed in envFrom statements." + - expression: >- + object.spec.?volumes.orValue([]).all(volume, + volume.?secret.?secretName.orValue('safe-').startsWith("safe-")) + message: "Only Secrets beginning with `safe-` may be consumed in volumes." diff --git a/other-vpol/restrict-service-port-range/artifacthub-pkg.yml b/other-vpol/restrict-service-port-range/artifacthub-pkg.yml index 26fa62c8e..49416c1a5 100644 --- a/other-vpol/restrict-service-port-range/artifacthub-pkg.yml +++ b/other-vpol/restrict-service-port-range/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Service" -digest: 102fa2ff9a153fea481f71949533b16fe542aa12f1937d8c56997b306d724d4b +digest: f568d97c004b88e5c19eb275d006c3cd15d1945caebe2fe263108883f6cece7d createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-service-port-range/restrict-service-port-range.yaml b/other-vpol/restrict-service-port-range/restrict-service-port-range.yaml index 6a90d0e08..6b76e74ab 100644 --- a/other-vpol/restrict-service-port-range/restrict-service-port-range.yaml +++ b/other-vpol/restrict-service-port-range/restrict-service-port-range.yaml @@ -26,6 +26,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["services"] validations: - - expression: "object.spec.ports.all(p, p.port >= 32000 && p.port <= 33000)" - message: Ports must be between 32000-33000 + - expression: "object.spec.ports.all(p, p.port >= 32000 && p.port <= 33000)" + message: Ports must be between 32000-33000 diff --git a/other-vpol/restrict-storageclass/artifacthub-pkg.yml b/other-vpol/restrict-storageclass/artifacthub-pkg.yml index 043090cba..83796c7c6 100644 --- a/other-vpol/restrict-storageclass/artifacthub-pkg.yml +++ b/other-vpol/restrict-storageclass/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Other, Multi-Tenancy in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "StorageClass" -digest: c95a18645ea4a788e40bcd9e9a8bb86762a3f42ecd0980b2bca81ab2fd01d32a +digest: 07e30c0531366c9f4628c984d05489194358fc2fba6106743a1f96979c9bb8b9 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-storageclass/restrict-storageclass.yaml b/other-vpol/restrict-storageclass/restrict-storageclass.yaml index a6465d413..19777b872 100644 --- a/other-vpol/restrict-storageclass/restrict-storageclass.yaml +++ b/other-vpol/restrict-storageclass/restrict-storageclass.yaml @@ -22,7 +22,6 @@ spec: evaluation: background: enabled: true - matchConstraints: resourceRules: - apiGroups: ["storage.k8s.io"] @@ -30,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["storageclasses"] validations: - - expression: "object.reclaimPolicy == 'Delete'" - message: "StorageClass must define a reclaimPolicy of Delete." + - expression: "object.reclaimPolicy == 'Delete'" + message: "StorageClass must define a reclaimPolicy of Delete." diff --git a/other-vpol/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml b/other-vpol/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml index 51e5e0b47..386a441b4 100644 --- a/other-vpol/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml +++ b/other-vpol/restrict-usergroup-fsgroup-id/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: bd32fa82326b4dc1ba8c9107eb37591f33da2638b184084e13cd1a3646af4f35 +digest: 69045833620980daf219fd1741e4af32132601e6a4ca651d0449c80e45c2e2fe createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml b/other-vpol/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml index 2e50621a3..eeade0723 100644 --- a/other-vpol/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml +++ b/other-vpol/restrict-usergroup-fsgroup-id/restrict-usergroup-fsgroup-id.yaml @@ -28,10 +28,10 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["pods"] validations: - - expression: "object.spec.?securityContext.?runAsUser.orValue(1) == 1000" - message: "User ID should be 1000." - - expression: "object.spec.?securityContext.?runAsGroup.orValue(1) == 3000" - message: "Group ID should be 3000." - - expression: "object.spec.?securityContext.?fsGroup.orValue(1) == 2000" - message: "fs Group should be 2000." + - expression: "object.spec.?securityContext.?runAsUser.orValue(1) == 1000" + message: "User ID should be 1000." + - expression: "object.spec.?securityContext.?runAsGroup.orValue(1) == 3000" + message: "Group ID should be 3000." + - expression: "object.spec.?securityContext.?fsGroup.orValue(1) == 2000" + message: "fs Group should be 2000." diff --git a/other-vpol/restrict-wildcard-resources/artifacthub-pkg.yml b/other-vpol/restrict-wildcard-resources/artifacthub-pkg.yml index d0a3b459e..84142a989 100644 --- a/other-vpol/restrict-wildcard-resources/artifacthub-pkg.yml +++ b/other-vpol/restrict-wildcard-resources/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Security, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "ClusterRole, Role, RBAC" -digest: 3c7af8b27c91ed28f126963c2ea83bad22510bbf3c9a290bfb1f48d2e669888d +digest: 2e3606f23a81d1d7150909a038976c777b4e56e2e74c66010c3d51040175f75f createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/restrict-wildcard-resources/restrict-wildcard-resources.yaml b/other-vpol/restrict-wildcard-resources/restrict-wildcard-resources.yaml index a950c9e3e..f2409cbbe 100644 --- a/other-vpol/restrict-wildcard-resources/restrict-wildcard-resources.yaml +++ b/other-vpol/restrict-wildcard-resources/restrict-wildcard-resources.yaml @@ -29,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["roles", "clusterroles"] validations: - - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)" - message: "Use of a wildcard ('*') in any resources is forbidden." + - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.resources)" + message: "Use of a wildcard ('*') in any resources is forbidden." diff --git a/other-vpol/restrict-wildcard-verbs/artifacthub-pkg.yml b/other-vpol/restrict-wildcard-verbs/artifacthub-pkg.yml index 0df765877..60ff6ee5d 100644 --- a/other-vpol/restrict-wildcard-verbs/artifacthub-pkg.yml +++ b/other-vpol/restrict-wildcard-verbs/artifacthub-pkg.yml @@ -20,7 +20,7 @@ annotations: kyverno/category: "Security, EKS Best Practices in vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Role, ClusterRole, RBAC" -digest: db8824f6b4b185c013bb497e6eaf912a0684ee7ae0d173d6270cc76654aba96c +digest: 11c353aa1dff4cab3268c727ac1fa86724b92731204bb01dc6a09d3d010439fb createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml b/other-vpol/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml index 72e186c2e..64bc7efd2 100644 --- a/other-vpol/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml +++ b/other-vpol/restrict-wildcard-verbs/restrict-wildcard-verbs.yaml @@ -29,6 +29,6 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["roles", "clusterroles"] validations: - - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.verbs)" - message: "Use of a wildcard ('*') in any verbs is forbidden." + - expression: "object.rules == null || !object.rules.exists(rule, '*' in rule.verbs)" + message: "Use of a wildcard ('*') in any verbs is forbidden." diff --git a/other-vpol/topologyspreadconstraints-policy/artifacthub-pkg.yml b/other-vpol/topologyspreadconstraints-policy/artifacthub-pkg.yml index 94715c10a..5563b03e8 100644 --- a/other-vpol/topologyspreadconstraints-policy/artifacthub-pkg.yml +++ b/other-vpol/topologyspreadconstraints-policy/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Sample in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Deployment, StatefulSet" -digest: f2d0ee77d660919dc4c9eb7819eab4067afd5b32105874932a509b0bf1833e90 +digest: fff2168e59c23e561f08ef54bf617a3f64ff7bf3c550f827bf3eeec1bdf5c01f createdAt: "2025-05-11T17:46:11Z" diff --git a/other-vpol/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml b/other-vpol/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml index 7b770ddcc..3d0d354b7 100644 --- a/other-vpol/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml +++ b/other-vpol/topologyspreadconstraints-policy/topologyspreadconstraints-policy.yaml @@ -29,10 +29,10 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["deployments", "statefulsets"] matchConditions: - - name: "replicas-must-be-3-or-more" - expression: "object.spec.replicas >= 3" + - name: "replicas-must-be-3-or-more" + expression: "object.spec.replicas >= 3" validations: - - expression: >- - size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2 - message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required" + - expression: >- + size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2 + message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required" diff --git a/other-vpol/unique-ingress-paths/artifacthub-pkg.yml b/other-vpol/unique-ingress-paths/artifacthub-pkg.yml index d5d9816a7..e2f4eaaf5 100644 --- a/other-vpol/unique-ingress-paths/artifacthub-pkg.yml +++ b/other-vpol/unique-ingress-paths/artifacthub-pkg.yml @@ -17,6 +17,6 @@ readme: | annotations: kyverno/category: "Sample" kyverno/subject: "Ingress" -digest: 3dd7c690a1837db20fcf0da685c5d575de77eea4a00d2fff91c0907b54e62de3 +digest: 412d2690486d6a22b9918ee4852ac0749f1b4f7b98dec3d7e8cce471346600f7 createdAt: "2025-05-11T17:46:10Z" diff --git a/other-vpol/unique-ingress-paths/unique-ingress-paths.yaml b/other-vpol/unique-ingress-paths/unique-ingress-paths.yaml index 4908cbb37..f3b9cb118 100644 --- a/other-vpol/unique-ingress-paths/unique-ingress-paths.yaml +++ b/other-vpol/unique-ingress-paths/unique-ingress-paths.yaml @@ -27,37 +27,36 @@ spec: operations: ["CREATE", "UPDATE"] resources: ["ingresses"] variables: - - name: allpaths - expression: >- - resource.List("networking.k8s.io/v1", "ingresses", "" ).items - - name: nspath - expression: >- - resource.List("networking.k8s.io/v1", "ingresses", object.metadata.namespace ).items + - name: allpaths + expression: >- + resource.List("networking.k8s.io/v1", "ingresses", "" ).items + - name: nspath + expression: >- + resource.List("networking.k8s.io/v1", "ingresses", object.metadata.namespace ).items validations: - expression: >- - !object.spec.rules.orValue([]).exists(rule, - rule.http.paths.orValue([]).exists(path, - ( - variables.allpaths.orValue([]).exists(existing_ingress, - existing_ingress.spec.rules.orValue([]).exists(existing_rule, - existing_rule.http.paths.orValue([]).exists(existing_path, - existing_path.path == path.path - ) - ) + !object.spec.rules.orValue([]).exists(rule, + rule.http.paths.orValue([]).exists(path, + ( + variables.allpaths.orValue([]).exists(existing_ingress, + existing_ingress.spec.rules.orValue([]).exists(existing_rule, + existing_rule.http.paths.orValue([]).exists(existing_path, + existing_path.path == path.path ) - && - ! variables.nspath.orValue([]).exists(existing_ingress, - existing_ingress.metadata.namespace != object.metadata.namespace && + ) + ) + && + ! variables.nspath.orValue([]).exists(existing_ingress, + existing_ingress.metadata.namespace != object.metadata.namespace && - existing_ingress.spec.rules.orValue([]).exists(existing_rule, - existing_rule.http.paths.orValue([]).exists(existing_path, - existing_path.path == path.path - ) - ) + existing_ingress.spec.rules.orValue([]).exists(existing_rule, + existing_rule.http.paths.orValue([]).exists(existing_path, + existing_path.path == path.path ) ) ) ) - + ) + ) message: >- The root path already exists in the cluster but not in the namespace. From 96320839fd74bdf301d15499aa21d79e4db12e1b Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 25 Nov 2025 07:18:35 +0000 Subject: [PATCH 05/14] feat: convert cpols to vpols (#1383) Signed-off-by: Mariam Fahmy Signed-off-by: Brandon Metcalf --- .../chainsaw-step-01-assert-1.yaml | 13 +++ .../chainsaw-step-02-apply-1.yaml | 4 + .../chainsaw-step-02-apply-2.yaml | 7 ++ .../.chainsaw-test/chainsaw-test.yaml | 47 ++++++++++ .../.chainsaw-test/permissions.yaml | 17 ++++ .../.chainsaw-test/pod-bad.yaml | 30 ++++++ .../.chainsaw-test/pod-good.yaml | 19 ++++ .../.chainsaw-test/podcontroller-bad.yaml | 44 +++++++++ .../.chainsaw-test/podcontroller-good.yaml | 44 +++++++++ .../allowed-base-images.yaml | 45 +++++++++ .../allowed-base-images/artifacthub-pkg.yml | 23 +++++ .../chainsaw-step-01-assert-1.yaml | 13 +++ .../.chainsaw-test/chainsaw-test.yaml | 45 +++++++++ .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/pod-bad.yaml | 55 +++++++++++ .../.chainsaw-test/pod-good.yaml | 38 ++++++++ .../.chainsaw-test/podcontroller-bad.yaml | 91 +++++++++++++++++++ .../.chainsaw-test/podcontroller-good.yaml | 91 +++++++++++++++++++ .../allowed-image-repos.yaml | 39 ++++++++ .../allowed-image-repos/artifacthub-pkg.yml | 23 +++++ 20 files changed, 692 insertions(+) create mode 100755 other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-1.yaml create mode 100755 other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-2.yaml create mode 100755 other-vpol/allowed-base-images/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/allowed-base-images/.chainsaw-test/permissions.yaml create mode 100644 other-vpol/allowed-base-images/.chainsaw-test/pod-bad.yaml create mode 100644 other-vpol/allowed-base-images/.chainsaw-test/pod-good.yaml create mode 100644 other-vpol/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-vpol/allowed-base-images/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-vpol/allowed-base-images/allowed-base-images.yaml create mode 100644 other-vpol/allowed-base-images/artifacthub-pkg.yml create mode 100755 other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml create mode 100755 other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/allowed-image-repos/.chainsaw-test/ns.yaml create mode 100644 other-vpol/allowed-image-repos/.chainsaw-test/pod-bad.yaml create mode 100644 other-vpol/allowed-image-repos/.chainsaw-test/pod-good.yaml create mode 100644 other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml create mode 100644 other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-good.yaml create mode 100644 other-vpol/allowed-image-repos/allowed-image-repos.yaml create mode 100644 other-vpol/allowed-image-repos/artifacthub-pkg.yml diff --git a/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..463d4b56e --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,13 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: allowed-base-images +status: + conditionStatus: + conditions: + - reason: Succeeded + type: WebhookConfigured + status: "True" + - reason: Succeeded + type: RBACPermissionsGranted + status: "True" \ No newline at end of file diff --git a/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-1.yaml b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-1.yaml new file mode 100755 index 000000000..b179bd0fe --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-1.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: platform diff --git a/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-2.yaml b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-2.yaml new file mode 100755 index 000000000..3c402a8e1 --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-step-02-apply-2.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +data: + allowedbaseimages: gcr.io/distroless/static:nonroot +kind: ConfigMap +metadata: + name: baseimages + namespace: platform diff --git a/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-test.yaml b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..efefde2af --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,47 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: allowed-base-images +spec: + steps: + - name: step-01 + try: + - apply: + file: permissions.yaml + - apply: + file: ../allowed-base-images.yaml + - patch: + resource: + apiVersion: policies.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: allowed-base-images + spec: + validationActions: + - Deny + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: chainsaw-step-02-apply-1.yaml + - apply: + file: chainsaw-step-02-apply-2.yaml + - name: step-03 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other-vpol/allowed-base-images/.chainsaw-test/permissions.yaml b/other-vpol/allowed-base-images/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..052afe941 --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:configmaps:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/other-vpol/allowed-base-images/.chainsaw-test/pod-bad.yaml b/other-vpol/allowed-base-images/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..454b6549a --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: ko + image: ghcr.io/dlorenc/hello-ko:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: ko + image: ghcr.io/dlorenc/hello-ko:latest + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/allowed-base-images/.chainsaw-test/pod-good.yaml b/other-vpol/allowed-base-images/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..c209421a8 --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/pod-good.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: kyverno + image: ghcr.io/dlorenc/hello-ko:latest + - name: hello-ko + image: ghcr.io/dlorenc/hello-ko:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: ko + image: ghcr.io/dlorenc/hello-ko:latest \ No newline at end of file diff --git a/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml b/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..8d3413ad3 --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kyverno + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: kyverno + strategy: {} + template: + metadata: + labels: + app: kyverno + spec: + containers: + - name: kv-01 + image: ghcr.io/kyverno/test-busybox:1.35 + - name: kv-02 + image: ghcr.io/dlorenc/hello-ko:latest +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + spec: + containers: + - name: hello + image: ghcr.io/dlorenc/hello-ko:latest + imagePullPolicy: IfNotPresent + - name: hello02 + image: ghcr.io/kyverno/test-busybox:1.35 + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-good.yaml b/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..c131b05a7 --- /dev/null +++ b/other-vpol/allowed-base-images/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: kyverno + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: kyverno + strategy: {} + template: + metadata: + labels: + app: kyverno + spec: + containers: + - name: kv + image: ghcr.io/dlorenc/hello-ko:latest + - name: ko + image: ghcr.io/dlorenc/hello-ko:latest +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + metadata: + annotations: + foo: bar + spec: + containers: + - name: hello + image: ghcr.io/dlorenc/hello-ko:latest + imagePullPolicy: IfNotPresent + - name: hello02 + image: ghcr.io/dlorenc/hello-ko:latest + imagePullPolicy: IfNotPresent + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/allowed-base-images/allowed-base-images.yaml b/other-vpol/allowed-base-images/allowed-base-images.yaml new file mode 100644 index 000000000..ea881c860 --- /dev/null +++ b/other-vpol/allowed-base-images/allowed-base-images.yaml @@ -0,0 +1,45 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: allowed-base-images + annotations: + policies.kyverno.io/title: Allowed Base Images + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.15.0 + policies.kyverno.io/minversion: 1.15.0 + kyverno.io/kubernetes-version: "1.30" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Building images which specify a base as their origin is a good start + to improving supply chain security, but over time organizations + may want to build an allow list of specific base images which + are allowed to be used when constructing containers. This policy ensures + that a container's base, found in an OCI annotation, is in a cluster-wide + allow list. +spec: + evaluation: + background: + enabled: false + validationActions: ["Warn", "Audit"] + variables: + - name: baseImageConfigMap + expression: 'resource.Get("v1", "configmaps", "platform", "baseimages")' + - name: allowedBaseImages + expression: 'variables.baseImageConfigMap.data.?allowedbaseimages.orValue("").split(",").filter(img, img.trim() != "")' + - name: allContainers + expression: 'object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])' + matchConstraints: + resourceRules: + - resources: ["pods"] + operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - expression: | + variables.allContainers.all(container, + has(image.GetMetadata(container.image).manifest.annotations) && + image.GetMetadata(container.image).manifest.annotations != null && + 'org.opencontainers.image.base.name' in image.GetMetadata(container.image).manifest.annotations && + image.GetMetadata(container.image).manifest.annotations['org.opencontainers.image.base.name'] in variables.allowedBaseImages + ) \ No newline at end of file diff --git a/other-vpol/allowed-base-images/artifacthub-pkg.yml b/other-vpol/allowed-base-images/artifacthub-pkg.yml new file mode 100644 index 000000000..fdfc45d59 --- /dev/null +++ b/other-vpol/allowed-base-images/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: allowed-base-images-vpol +version: 1.0.0 +displayName: Allowed Base Images in ValidatingPolicy +description: >- + Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/allowed-base-images/allowed-base-images.yaml + ``` +keywords: + - kyverno + - Other + - ValidatingPolicy +readme: | + Building images which specify a base as their origin is a good start to improving supply chain security, but over time organizations may want to build an allow list of specific base images which are allowed to be used when constructing containers. This policy ensures that a container's base, found in an OCI annotation, is in a cluster-wide allow list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in Vpol" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 6447e7042d01ecf4221b36bf16ee9be7882475dc9eb15060f0301eeac32d915e +createdAt: "2025-11-24T17:13:08Z" diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100755 index 000000000..b7c038663 --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,13 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: allowed-image-repos +status: + conditionStatus: + conditions: + - reason: Succeeded + type: WebhookConfigured + status: "True" + - reason: Succeeded + type: RBACPermissionsGranted + status: "True" \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..62fad3e8b --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,45 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: allowed-image-repos +spec: + steps: + - name: step-01 + try: + - apply: + file: ns.yaml + - apply: + file: ../allowed-image-repos.yaml + - patch: + resource: + apiVersion: policies.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: allowed-image-repos + spec: + validationActions: + - Deny + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n allowed-image-repos-ns diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/ns.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..df8c1dacb --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: allowed-image-repos-ns \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/pod-bad.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..b537acc36 --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: allowed-image-repos-ns +spec: + containers: + - name: pod-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 + namespace: allowed-image-repos-ns +spec: + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 + namespace: allowed-image-repos-ns +spec: + initContainers: + - name: pod-01-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 + namespace: allowed-image-repos-ns +spec: + initContainers: + - name: pod-01-init + image: myknownimage + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: docker.io/busybox:1.35 \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/pod-good.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..3823134fd --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/pod-good.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + namespace: allowed-image-repos-ns +spec: + containers: + - name: pod-01 + image: myknownimage +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + namespace: allowed-image-repos-ns +spec: + containers: + - name: pod-01 + image: ghcr.io/images/myknownimage:1.26 + - name: pod-02 + image: ghcr.io/kyverno/kyverno:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 + namespace: allowed-image-repos-ns +spec: + initContainers: + - name: pod-01-init + image: kyverno:latest + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage:1.14 + - name: pod-02 + image: kyverno \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..7909ba6f8 --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 + namespace: allowed-image-repos-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb-01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 + namespace: allowed-image-repos-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 + namespace: allowed-image-repos-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb-01-init + image: kyverno + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 + namespace: allowed-image-repos-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: kyverno + - name: bb-02 + image: myknownimage + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-good.yaml b/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..2e700418d --- /dev/null +++ b/other-vpol/allowed-image-repos/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,91 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: allowed-image-repos-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb-01-init + image: myknownimage + containers: + - name: bb-01 + image: kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 + namespace: allowed-image-repos-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb01-init + image: kyverno + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: kyverno +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 + namespace: allowed-image-repos-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb-01-init + image: myknownimage + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 + namespace: allowed-image-repos-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb01-init + image: kyverno + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: kyverno + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/allowed-image-repos.yaml b/other-vpol/allowed-image-repos/allowed-image-repos.yaml new file mode 100644 index 000000000..8e66a3b30 --- /dev/null +++ b/other-vpol/allowed-image-repos/allowed-image-repos.yaml @@ -0,0 +1,39 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: allowed-image-repos + annotations: + policies.kyverno.io/title: Allowed Image Repositories + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + kyverno.io/kyverno-version: 1.14.0 + policies.kyverno.io/minversion: 1.14.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + In addition to restricting the image registry from which images are pulled, in some cases + and environments it may be required to also restrict which image repositories are used, + for example in some restricted Namespaces. This policy ensures that the only allowed + image repositories present in a given Pod, across any container type, come from the + designated list. +spec: + evaluation: + background: + enabled: false + validationActions: ["Warn", "Audit"] + variables: + - name: allContainers + expression: 'object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])' + - name: allowedRepos + expression: '["myknownimage", "kyverno"]' + matchConstraints: + resourceRules: + - resources: ["pods"] + operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - messageExpression: | + 'All images in this Pod must come from an authorized repository. Allowed repositories: ' + variables.allowedRepos.join(', ') + '. Found unauthorized images: ' + variables.allContainers.filter(container, !variables.allowedRepos.exists(repo, (container.image.contains('/') ? container.image.split('/')[container.image.split('/').size() - 1].split(':')[0] : container.image.split(':')[0]) == repo)).map(container, container.image).join(', ') + expression: | + variables.allContainers.all(container, variables.allowedRepos.exists(repo, (container.image.contains('/') ? container.image.split('/')[container.image.split('/').size() - 1].split(':')[0] : container.image.split(':')[0]) == repo)) \ No newline at end of file diff --git a/other-vpol/allowed-image-repos/artifacthub-pkg.yml b/other-vpol/allowed-image-repos/artifacthub-pkg.yml new file mode 100644 index 000000000..7010bfb3d --- /dev/null +++ b/other-vpol/allowed-image-repos/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: allowed-image-repos +version: 1.0.0 +displayName: Allowed Image Repositories in ValidatingPolicy +description: >- + In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/allowed-image-repos/allowed-image-repos.yaml + ``` +keywords: + - kyverno + - Other + - ValidatingPolicy +readme: | + In addition to restricting the image registry from which images are pulled, in some cases and environments it may be required to also restrict which image repositories are used, for example in some restricted Namespaces. This policy ensures that the only allowed image repositories present in a given Pod, across any container type, come from the designated list. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample in Vpol" + kyverno/kubernetesVersion: "1.24" + kyverno/subject: "Pod" +digest: b8ac9d48ead88ed285c1c6f6972fee5c68361ccb6eb888ccea9722aaaddbc5d9 +createdAt: "2025-11-24T17:13:07Z" From 3c5c0d5bf0a920cd356fe1c7071abc11e8abd85e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 25 Nov 2025 15:23:26 +0800 Subject: [PATCH 06/14] build(deps): Bump actions/checkout from 4.2.2 to 6.0.0 (#1380) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.2.2...1af3b93b6815bc44a9784bd300feb67ff0d1eeb3) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jim Bugwadia Signed-off-by: Brandon Metcalf --- .github/workflows/check-actions.yaml | 2 +- .github/workflows/cherry-pick-on-merge.yaml | 2 +- .github/workflows/ci.yml | 10 +- .github/workflows/comment-commands.yaml | 2 +- .github/workflows/test.yml | 116 ++++++++++---------- 5 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index 3bd206083..8a70576f7 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Ensure SHA pinned actions uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0 with: diff --git a/.github/workflows/cherry-pick-on-merge.yaml b/.github/workflows/cherry-pick-on-merge.yaml index d29c09fdd..ee9eefe7b 100644 --- a/.github/workflows/cherry-pick-on-merge.yaml +++ b/.github/workflows/cherry-pick-on-merge.yaml @@ -40,7 +40,7 @@ jobs: - name: Checkout repository if: steps.cherry.outputs.result != '[]' - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2ae60c935..c3f2a3de5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: options: --user root steps: - name: Checkout code - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: path: policies - name: Run ah lint @@ -31,14 +31,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: path: policies - name: Validate all policies run: ./.hack/verify-files-structure.sh working-directory: policies - name: Clone Kyverno - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: kyverno/kyverno path: kyverno @@ -56,11 +56,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: path: policies - name: Checkout Kyverno - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: kyverno/kyverno path: kyverno diff --git a/.github/workflows/comment-commands.yaml b/.github/workflows/comment-commands.yaml index 7e4724095..667644b09 100644 --- a/.github/workflows/comment-commands.yaml +++ b/.github/workflows/comment-commands.yaml @@ -95,7 +95,7 @@ jobs: - name: Checkout repository if: fromJSON(steps.check-merged.outputs.result).merged == true - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 2642dbd13..568b66280 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -96,7 +96,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -115,7 +115,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -136,7 +136,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -156,7 +156,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -175,7 +175,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -195,7 +195,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -213,7 +213,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -231,7 +231,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -249,7 +249,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -267,7 +267,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -285,7 +285,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -303,7 +303,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -321,7 +321,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -339,7 +339,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -357,7 +357,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -375,7 +375,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -393,7 +393,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -411,7 +411,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -429,7 +429,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -447,7 +447,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -465,7 +465,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -483,7 +483,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -501,7 +501,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -519,7 +519,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -537,7 +537,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -555,7 +555,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -573,7 +573,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -591,7 +591,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -609,7 +609,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -627,7 +627,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -645,7 +645,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -663,7 +663,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -681,7 +681,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -699,7 +699,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -718,7 +718,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -739,7 +739,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -760,7 +760,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -781,7 +781,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -802,7 +802,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -823,7 +823,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -843,7 +843,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -861,7 +861,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -879,7 +879,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -897,7 +897,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -915,7 +915,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -933,7 +933,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -951,7 +951,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -969,7 +969,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -987,7 +987,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1005,7 +1005,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1023,7 +1023,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1041,7 +1041,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1059,7 +1059,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1077,7 +1077,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 - name: Setup Environment uses: ./.github/actions/setup-env with: From 61a83743954936d5f40b7203bfe275eb116d76e5 Mon Sep 17 00:00:00 2001 From: Brandon Metcalf Date: Wed, 3 Dec 2025 11:20:50 -0600 Subject: [PATCH 07/14] fix test errors Signed-off-by: Brandon Metcalf --- .../.chainsaw-test/chainsaw-test.yaml | 0 .../.chainsaw-test/patched03.yaml | 0 .../.chainsaw-test/patched04.yaml | 0 .../.chainsaw-test/policy-ready.yaml | 0 .../.chainsaw-test/resource-others.yaml | 0 .../.kyverno-test/kyverno-test.yaml | 0 .../.kyverno-test/patched01.yaml | 0 .../.kyverno-test/patched02.yaml | 0 .../.kyverno-test/resource.yaml | 0 .../add-karpenter-donot-disrupt.yaml} | 0 .../artifacthub-pkg.yml | 4 ++-- 11 files changed, 2 insertions(+), 2 deletions(-) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/chainsaw-test.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/patched03.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/patched04.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/policy-ready.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/resource-others.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/kyverno-test.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/patched01.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/patched02.yaml (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/resource.yaml (100%) rename karpenter/{add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml => add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml} (100%) rename karpenter/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/artifacthub-pkg.yml (94%) diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml b/karpenter/add-karpenter-donot-disrupt/.chainsaw-test/chainsaw-test.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml rename to karpenter/add-karpenter-donot-disrupt/.chainsaw-test/chainsaw-test.yaml diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml b/karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched03.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml rename to karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched03.yaml diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml b/karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched04.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml rename to karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched04.yaml diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml b/karpenter/add-karpenter-donot-disrupt/.chainsaw-test/policy-ready.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml rename to karpenter/add-karpenter-donot-disrupt/.chainsaw-test/policy-ready.yaml diff --git a/karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml b/karpenter/add-karpenter-donot-disrupt/.chainsaw-test/resource-others.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml rename to karpenter/add-karpenter-donot-disrupt/.chainsaw-test/resource-others.yaml diff --git a/karpenter/add-karpenter-donot-evict/.kyverno-test/kyverno-test.yaml b/karpenter/add-karpenter-donot-disrupt/.kyverno-test/kyverno-test.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.kyverno-test/kyverno-test.yaml rename to karpenter/add-karpenter-donot-disrupt/.kyverno-test/kyverno-test.yaml diff --git a/karpenter/add-karpenter-donot-evict/.kyverno-test/patched01.yaml b/karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched01.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.kyverno-test/patched01.yaml rename to karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched01.yaml diff --git a/karpenter/add-karpenter-donot-evict/.kyverno-test/patched02.yaml b/karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched02.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.kyverno-test/patched02.yaml rename to karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched02.yaml diff --git a/karpenter/add-karpenter-donot-evict/.kyverno-test/resource.yaml b/karpenter/add-karpenter-donot-disrupt/.kyverno-test/resource.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/.kyverno-test/resource.yaml rename to karpenter/add-karpenter-donot-disrupt/.kyverno-test/resource.yaml diff --git a/karpenter/add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml b/karpenter/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml similarity index 100% rename from karpenter/add-karpenter-donot-evict/add-karpenter-do-not-disrupt.yaml rename to karpenter/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml diff --git a/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml b/karpenter/add-karpenter-donot-disrupt/artifacthub-pkg.yml similarity index 94% rename from karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml rename to karpenter/add-karpenter-donot-disrupt/artifacthub-pkg.yml index 6faa72fc6..b71ae37e6 100644 --- a/karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml +++ b/karpenter/add-karpenter-donot-disrupt/artifacthub-pkg.yml @@ -6,7 +6,7 @@ description: >- If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter/add-karpenter-donot-disrupt/add-karpenter-do-not-disrupt.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml ``` keywords: - kyverno @@ -20,4 +20,4 @@ annotations: kyverno/category: "Karpenter, EKS Best Practices" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: cce9736174afeaba6059a9dc3b577f61a812637e199f0d0f5460caff78472402 +digest: 97c2cd7156ae13003509bd6322ba3cdefc87a0027098c63af4fdb65dce66c662 From cdcd7b22a74bd490c5c574ab0b52d66ef7ccf266 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 27 Nov 2025 16:20:28 +0000 Subject: [PATCH 08/14] chore: add kyverno tests and convert a cpol to vp (#1385) Signed-off-by: Mariam Fahmy Signed-off-by: Brandon Metcalf --- .../.kyverno-test/kyverno-test.yaml | 54 ++++ .../.kyverno-test/resource.yaml | 263 ++++++++++++++++++ .../.kyverno-test/context.yaml | 14 + .../.kyverno-test/kyverno-test.yaml | 55 ++++ .../.kyverno-test/resource.yaml | 233 ++++++++++++++++ .../.kyverno-test/value.yaml | 17 ++ .../.chainsaw-test/bad-cm-update.yaml | 7 + .../.chainsaw-test/bad-pod.yaml | 9 + .../chainsaw-step-03-apply-1.yaml | 12 + .../.chainsaw-test/chainsaw-test.yaml | 101 +++++++ .../.chainsaw-test/good-cm.yaml | 7 + .../.chainsaw-test/good-pod-not-admin.yaml | 9 + .../.chainsaw-test/good-pod.yaml | 8 + .../.chainsaw-test/ns.yaml | 4 + .../.chainsaw-test/permissions.yaml | 17 ++ .../.chainsaw-test/policy-ready.yaml | 13 + .../artifacthub-pkg.yml | 24 ++ .../block-cluster-admin-from-ns.yaml | 38 +++ 18 files changed, 885 insertions(+) create mode 100644 other-vpol/allowed-image-repos/.kyverno-test/kyverno-test.yaml create mode 100644 other-vpol/allowed-image-repos/.kyverno-test/resource.yaml create mode 100644 other-vpol/allowed-pod-priorities/.kyverno-test/context.yaml create mode 100644 other-vpol/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml create mode 100644 other-vpol/allowed-pod-priorities/.kyverno-test/resource.yaml create mode 100644 other-vpol/allowed-pod-priorities/.kyverno-test/value.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-cm-update.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml create mode 100755 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-step-03-apply-1.yaml create mode 100755 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-cm.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/ns.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/permissions.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-cluster-admin-from-ns/artifacthub-pkg.yml create mode 100644 other-vpol/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml diff --git a/other-vpol/allowed-image-repos/.kyverno-test/kyverno-test.yaml b/other-vpol/allowed-image-repos/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..b13b4c4d7 --- /dev/null +++ b/other-vpol/allowed-image-repos/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,54 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-image-repos +policies: +- ../allowed-image-repos.yaml +resources: +- resource.yaml +results: +- isValidatingPolicy: true + kind: Pod + policy: allowed-image-repos + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + result: fail +- isValidatingPolicy: true + kind: Pod + policy: allowed-image-repos + resources: + - goodpod01 + - goodpod02 + - goodpod03 + result: pass +- isValidatingPolicy: true + kind: Deployment + policy: allowed-image-repos + resources: + - baddeployment01 + - baddeployment02 + result: fail +- isValidatingPolicy: true + kind: Deployment + policy: allowed-image-repos + resources: + - gooddeployment01 + - gooddeployment02 + result: pass +- isValidatingPolicy: true + kind: CronJob + policy: allowed-image-repos + resources: + - badcronjob01 + - badcronjob02 + result: fail +- isValidatingPolicy: true + kind: CronJob + policy: allowed-image-repos + resources: + - goodcronjob01 + - goodcronjob02 + result: pass diff --git a/other-vpol/allowed-image-repos/.kyverno-test/resource.yaml b/other-vpol/allowed-image-repos/.kyverno-test/resource.yaml new file mode 100644 index 000000000..86456d03d --- /dev/null +++ b/other-vpol/allowed-image-repos/.kyverno-test/resource.yaml @@ -0,0 +1,263 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: pod-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + initContainers: + - name: pod-01-init + image: ghcr.io/kyverno/test-busybox:1.35 + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: kyverno +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + initContainers: + - name: pod-01-init + image: myknownimage + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage + - name: pod-02 + image: docker.io/busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: pod-01 + image: myknownimage +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: pod-01 + image: ghcr.io/images/myknownimage:1.26 + - name: pod-02 + image: ghcr.io/kyverno/kyverno:latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: pod-01-init + image: kyverno:latest + - name: pod-02-init + image: myknownimage + containers: + - name: pod-01 + image: myknownimage:1.14 + - name: pod-02 + image: kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb-01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb-01-init + image: kyverno + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb01-init + image: ghcr.io/kyverno/test-busybox:1.35 + containers: + - name: bb-01 + image: kyverno + - name: bb-02 + image: myknownimage + restartPolicy: OnFailure +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb-01-init + image: myknownimage + containers: + - name: bb-01 + image: kyverno +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + initContainers: + - name: bb01-init + image: kyverno + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: kyverno +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb-01-init + image: myknownimage + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - name: bb01-init + image: kyverno + containers: + - name: bb-01 + image: myknownimage + - name: bb-02 + image: kyverno + restartPolicy: OnFailure diff --git a/other-vpol/allowed-pod-priorities/.kyverno-test/context.yaml b/other-vpol/allowed-pod-priorities/.kyverno-test/context.yaml new file mode 100644 index 000000000..7d993cc6f --- /dev/null +++ b/other-vpol/allowed-pod-priorities/.kyverno-test/context.yaml @@ -0,0 +1,14 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Context +metadata: + name: context +spec: + resources: + - apiVersion: v1 + data: + pod-priority-ns: "high, medium, low" + no-priority-ns: foo + kind: ConfigMap + metadata: + name: allowed-pod-priorities + namespace: default \ No newline at end of file diff --git a/other-vpol/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml b/other-vpol/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..ca6c79c6c --- /dev/null +++ b/other-vpol/allowed-pod-priorities/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,55 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: allowed-pod-priorities +policies: +- ../allowed-pod-priorities.yaml +resources: +- resource.yaml +results: +- isValidatingPolicy: true + kind: Pod + policy: allowed-podpriorities + resources: + - pod-priority-ns/badpod01 + - no-priority-ns/badpod02 + result: fail +- isValidatingPolicy: true + kind: Pod + policy: allowed-podpriorities + resources: + - pod-priority-ns/goodpod01 + - pod-priority-ns/goodpod02 + - default/goodpod03 + - no-priority-ns/goodpod04 + result: pass +- isValidatingPolicy: true + kind: Deployment + policy: allowed-podpriorities + resources: + - pod-priority-ns/baddeployment01 + - pod-priority-ns/baddeployment02 + result: fail +- isValidatingPolicy: true + kind: Deployment + policy: allowed-podpriorities + resources: + - pod-priority-ns/gooddeployment01 + - no-priority-ns/gooddeployment02 + result: pass +- isValidatingPolicy: true + kind: CronJob + policy: allowed-podpriorities + resources: + - pod-priority-ns/badcronjob01 + - pod-priority-ns/badcronjob02 + result: fail +- isValidatingPolicy: true + kind: CronJob + policy: allowed-podpriorities + resources: + - pod-priority-ns/goodcronjob01 + - no-priority-ns/goodcronjob02 + result: pass +context: context.yaml +variables: value.yaml \ No newline at end of file diff --git a/other-vpol/allowed-pod-priorities/.kyverno-test/resource.yaml b/other-vpol/allowed-pod-priorities/.kyverno-test/resource.yaml new file mode 100644 index 000000000..5be2e95df --- /dev/null +++ b/other-vpol/allowed-pod-priorities/.kyverno-test/resource.yaml @@ -0,0 +1,233 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 + namespace: no-priority-ns +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: low +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: high +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + namespace: pod-priority-ns +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: low +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 + namespace: no-priority-ns +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: foo +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + containers: + - name: pod01 + image: ghcr.io/kyverno/test-busybox:1.35 + priorityClassName: low +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment02 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: med + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 + namespace: pod-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: high + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment02 + namespace: no-priority-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 + namespace: pod-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: medium + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 + namespace: no-priority-ns +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + priorityClassName: foo + containers: + - name: bb-01 + image: kyverno + restartPolicy: OnFailure diff --git a/other-vpol/allowed-pod-priorities/.kyverno-test/value.yaml b/other-vpol/allowed-pod-priorities/.kyverno-test/value.yaml new file mode 100644 index 000000000..375957250 --- /dev/null +++ b/other-vpol/allowed-pod-priorities/.kyverno-test/value.yaml @@ -0,0 +1,17 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Value +metadata: + name: values +namespaces: +- apiVersion: v1 + kind: Namespace + metadata: + name: pod-priority-ns +- apiVersion: v1 + kind: Namespace + metadata: + name: no-priority-ns +- apiVersion: v1 + kind: Namespace + metadata: + name: default diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-cm-update.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-cm-update.yaml new file mode 100644 index 000000000..d62309274 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-cm-update.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: goodcm01 + namespace: testnamespace +data: + foo: foo \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml new file mode 100644 index 000000000..a93ee9bf9 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/bad-pod.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 + namespace: testnamespace +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-step-03-apply-1.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-step-03-apply-1.yaml new file mode 100755 index 000000000..3692fc287 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-step-03-apply-1.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: testuser-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: testuser diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..e83c46c63 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,101 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-cluster-admin-from-ns +spec: + steps: + - name: step-01 + try: + - apply: + file: permissions.yaml + - apply: + file: ../block-cluster-admin-from-ns.yaml + - apply: + file: ns.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - script: + content: | + #!/bin/bash + set -eu + cp $KUBECONFIG temp + export KUBECONFIG=./temp + export USERNAME=testuser + export CA=ca.crt + #### Get CA certificate from kubeconfig assuming it's the first in the list. + kubectl config view --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}' | base64 --decode > ./ca.crt + #### Set CLUSTER_SERVER from kubeconfig assuming it's the first in the list. + CLUSTER_SERVER="$(kubectl config view --raw -o jsonpath='{.clusters[0].cluster.server}')" + #### Set CLUSTER from kubeconfig assuming it's the first in the list. + CLUSTER="$(kubectl config view --raw -o jsonpath='{.clusters[0].name}')" + #### Generate private key + openssl genrsa -out $USERNAME.key 2048 + #### Create CSR + openssl req -new -key $USERNAME.key -out $USERNAME.csr -subj "/O=testorg/CN=$USERNAME" + #### Send CSR to kube-apiserver for approval + cat < $USERNAME.crt + #### + #### Create the credential object and output the new kubeconfig file + kubectl config set-credentials $USERNAME --client-certificate=$USERNAME.crt --client-key=$USERNAME.key --embed-certs + #### Set the context + kubectl config set-context $USERNAME-context --user=$USERNAME --cluster=$CLUSTER + # Delete CSR + kubectl delete csr $USERNAME + - apply: + file: chainsaw-step-03-apply-1.yaml + - script: + content: | + set -eu + export KUBECONFIG=./temp + kubectl create -f good-cm.yaml + - script: + content: | + set -eu + export KUBECONFIG=./temp + if kubectl --context=testuser-context apply -f bad-cm-update.yaml; then exit 1; else exit 0; fi + - script: + content: | + set -eu + export KUBECONFIG=./temp + if kubectl --context=testuser-context delete -f good-cm.yaml; then exit 1; else exit 0; fi + - script: + content: | + set -eu + export KUBECONFIG=./temp + kubectl --context=testuser-context create -f good-pod.yaml + - script: + content: | + set -eu + export KUBECONFIG=./temp + if kubectl --context=testuser-context create -f bad-pod.yaml; then exit 1; else exit 0; fi + - apply: + file: good-pod-not-admin.yaml + finally: + - script: + content: kubectl delete -f good-pod.yaml --ignore-not-found + - script: + content: kubectl delete -f good-cm.yaml --ignore-not-found + - script: + content: kubectl delete -f bad-cm-update.yaml --ignore-not-found + - script: + content: | + set -e + rm ./temp diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-cm.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-cm.yaml new file mode 100644 index 000000000..84a25ec2e --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: goodcm01 + namespace: testnamespace +data: + foo: bar \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml new file mode 100644 index 000000000..9046e73b0 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod-not-admin.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 + namespace: testnamespace +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml new file mode 100644 index 000000000..1db6a8b46 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/good-pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/ns.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..c0080261c --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testnamespace \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/permissions.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/permissions.yaml new file mode 100644 index 000000000..3490cb26e --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/permissions.yaml @@ -0,0 +1,17 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kyverno:configmaps:view + labels: + rbac.kyverno.io/aggregate-to-background-controller: "true" + rbac.kyverno.io/aggregate-to-admission-controller: "true" + rbac.kyverno.io/aggregate-to-reports-controller: "true" +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..ecdaa8d83 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,13 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-cluster-admin-from-ns +status: + conditionStatus: + conditions: + - reason: Succeeded + type: WebhookConfigured + status: "True" + - reason: Succeeded + type: RBACPermissionsGranted + status: "True" \ No newline at end of file diff --git a/other-vpol/block-cluster-admin-from-ns/artifacthub-pkg.yml b/other-vpol/block-cluster-admin-from-ns/artifacthub-pkg.yml new file mode 100644 index 000000000..7e333bf1c --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: block-cluster-admin-from-ns +version: 1.0.0 +displayName: Block cluster-admin from modifying any object in a Namespace +createdAt: "2023-05-18T00:00:00.000Z" +description: >- + In some cases, it may be desirable to block operations of certain privileged users (i.e. cluster-admins) in a specific namespace. In this policy, Kyverno will look for all user operations (CREATE, UPDATE, DELETE), on every object kind, in the testnamespace namespace, and for the ClusterRole cluster-admin. The user testuser is also mentioned so it won't include all the cluster-admins in the cluster, but will be flexible enough to apply only for a sub-group of the cluster-admins in the cluster. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml + ``` +keywords: + - rbac + - cluster-admin + - ValidatingPolicy + - kyverno +readme: | + In some cases, it may be desirable to block operations of certain privileged users (i.e. cluster-admins) in a specific namespace. In this policy, Kyverno will look for all user operations (CREATE, UPDATE, DELETE), on every object kind, in the testnamespace namespace, and for the ClusterRole cluster-admin. The user testuser is also mentioned so it won't include all the cluster-admins in the cluster, but will be flexible enough to apply only for a sub-group of the cluster-admins in the cluster. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: Other + kyverno/subject: Namespace, ClusterRole, User + kyverno/version: "1.15.0" +digest: f59b39ec27931b28e479f3525f42dc6d6014bc928fed77784113b48dc966e1e0 diff --git a/other-vpol/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml b/other-vpol/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml new file mode 100644 index 000000000..19d797519 --- /dev/null +++ b/other-vpol/block-cluster-admin-from-ns/block-cluster-admin-from-ns.yaml @@ -0,0 +1,38 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-cluster-admin-from-ns + annotations: + policies.kyverno.io/title: Block cluster-admin from modifying any object in a Namespace + policies.kyverno.io/category: Other + policies.kyverno.io/subject: Namespace, ClusterRole, User + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/description: >- + In some cases, it may be desirable to block operations of certain privileged users + (i.e. cluster-admins) in a specific namespace. In this policy, Kyverno will look for all user operations + (CREATE, UPDATE, DELETE), on every object kind, in the testnamespace namespace, and for the + ClusterRole cluster-admin. The user testuser is also mentioned so it won't include all the cluster-admins in + the cluster, but will be flexible enough to apply only for a sub-group of the cluster-admins in the cluster. +spec: + validationActions: ["Deny"] + variables: + - name: isTestUser + expression: 'request.userInfo.username == "testuser"' + - name: isTestNamespace + expression: 'request.namespace == "testnamespace"' + - name: hasClusterAdminRole + expression: 'request.userInfo.groups.exists(group, group == "system:masters") || request.userInfo.groups.exists(group, group.contains("cluster-admin"))' + - name: isBlockedOperation + expression: 'request.operation in ["CREATE", "UPDATE", "DELETE"]' + matchConstraints: + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: testnamespace + resourceRules: + - resources: ["*"] + operations: ["CREATE", "UPDATE", "DELETE"] + apiGroups: ["*"] + apiVersions: ["*"] + validations: + - messageExpression: '"The cluster-admin ''testuser'' user cannot touch testnamespace Namespace."' + expression: '!(variables.isTestUser && variables.isTestNamespace && variables.isBlockedOperation)' From 25ecdeeaa0171a0b76a07556573b0a5cfd637e43 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Thu, 27 Nov 2025 19:01:41 +0000 Subject: [PATCH 09/14] chore: convert cpols to vpols (#1386) Signed-off-by: Mariam Fahmy Signed-off-by: Brandon Metcalf --- .../artifacthub-pkg.yml | 2 +- .../block-ephemeral-containers.yaml | 2 +- .../.chainsaw-test/chainsaw-test.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 30 ++++++++++++++ .../.chainsaw-test/pods-good.yaml | 19 +++++++++ .../.chainsaw-test/policy-ready.yaml | 13 +++++++ .../artifacthub-pkg.yml | 23 +++++++++++ .../block-images-with-volumes.yaml | 32 +++++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-bad.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/podcontrollers-good.yaml | 39 +++++++++++++++++++ .../.chainsaw-test/pods-bad.yaml | 30 ++++++++++++++ .../.chainsaw-test/pods-good.yaml | 19 +++++++++ .../.chainsaw-test/policy-ready.yaml | 13 +++++++ .../block-large-images/artifacthub-pkg.yml | 23 +++++++++++ .../block-large-images.yaml | 34 ++++++++++++++++ 18 files changed, 472 insertions(+), 2 deletions(-) create mode 100755 other-vpol/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-vpol/block-images-with-volumes/.chainsaw-test/pods-bad.yaml create mode 100644 other-vpol/block-images-with-volumes/.chainsaw-test/pods-good.yaml create mode 100755 other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-images-with-volumes/artifacthub-pkg.yml create mode 100644 other-vpol/block-images-with-volumes/block-images-with-volumes.yaml create mode 100755 other-vpol/block-large-images/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-large-images/.chainsaw-test/podcontrollers-bad.yaml create mode 100644 other-vpol/block-large-images/.chainsaw-test/podcontrollers-good.yaml create mode 100644 other-vpol/block-large-images/.chainsaw-test/pods-bad.yaml create mode 100644 other-vpol/block-large-images/.chainsaw-test/pods-good.yaml create mode 100755 other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-large-images/artifacthub-pkg.yml create mode 100644 other-vpol/block-large-images/block-large-images.yaml diff --git a/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml b/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml index 5a4e709df..9c81e9beb 100644 --- a/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: 20ba872d7f176b42b8d4f04ed4f663bdb80d75efaa14cd6ed53855181b63acc3 +digest: e203b4fbf92b1a32eb78778c6303a4f0fbe5e450f0b15ab730fd3bbd0455ee4f createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml index 06ec75196..ace0a03ad 100644 --- a/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml +++ b/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -13,7 +13,7 @@ spec: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] - resources: ["pods", "pods/ephemeralcontainers"] + resources: ["pods"] validations: - expression: >- object.spec.?ephemeralContainers.orValue([]).size() == 0 diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..30910a96c --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-images-with-volumes +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-images-with-volumes.yaml + - patch: + resource: + apiVersion: policies.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: block-images-with-volumes + spec: + validationActions: + - Deny + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..07c3ab95c --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + - name: busybox02 + image: clover/volume:passbolt +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: clover/volume:passbolt + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-good.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..b1c48e35e --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: busybox:1.35 + - name: busybox02 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: busybox:1.35 + - name: busybox02 + image: busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/pods-bad.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..9f85e6b60 --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: image-vol + image: clover/volume:passbolt +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: image-vol + image: clover/volume:passbolt +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: image-vol + image: clover/volume:passbolt + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/pods-good.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..6b3f55eb7 --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/pods-good.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..2b6f77a27 --- /dev/null +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,13 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-images-with-volumes +status: + conditionStatus: + conditions: + - reason: Succeeded + type: WebhookConfigured + status: "True" + - reason: Succeeded + type: RBACPermissionsGranted + status: "True" diff --git a/other-vpol/block-images-with-volumes/artifacthub-pkg.yml b/other-vpol/block-images-with-volumes/artifacthub-pkg.yml new file mode 100644 index 000000000..4ad2c0c41 --- /dev/null +++ b/other-vpol/block-images-with-volumes/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: block-images-with-volumes +version: 1.0.0 +displayName: Block Images with Volumes in ValidatingPolicy +createdAt: "2023-04-10T20:30:03.000Z" +description: >- + OCI images may optionally be built with VOLUME statements which, if run in read-only mode, would still result in write access to the specified location. This may be unexpected and undesirable. This policy checks the contents of every container image and inspects them for such VOLUME statements, then blocks if found. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-images-with-volumes/block-images-with-volumes.yaml + ``` +keywords: + - kyverno + - Other + - ValidatingPolicy +readme: | + OCI images may optionally be built with VOLUME statements which, if run in read-only mode, would still result in write access to the specified location. This may be unexpected and undesirable. This policy checks the contents of every container image and inspects them for such VOLUME statements, then blocks if found. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in ValidatingPolicy" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 9de23fe2ece640f3a66fa5c62304cf15917d1168692bd3d4ae185879917fb1c3 diff --git a/other-vpol/block-images-with-volumes/block-images-with-volumes.yaml b/other-vpol/block-images-with-volumes/block-images-with-volumes.yaml new file mode 100644 index 000000000..385302855 --- /dev/null +++ b/other-vpol/block-images-with-volumes/block-images-with-volumes.yaml @@ -0,0 +1,32 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-images-with-volumes + annotations: + policies.kyverno.io/title: Block Images with Volumes + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + OCI images may optionally be built with VOLUME statements which, if run + in read-only mode, would still result in write access to the specified location. + This may be unexpected and undesirable. This policy checks the contents of every + container image and inspects them for such VOLUME statements, then blocks if found. +spec: + evaluation: + background: + enabled: true + validationActions: ["Audit"] + variables: + - name: allContainers + expression: 'object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])' + matchConstraints: + resourceRules: + - resources: ["pods"] + operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - message: "Images containing built-in volumes are prohibited." + expression: 'variables.allContainers.all(container, !has(image.GetMetadata(container.image).config.Volumes) || size(image.GetMetadata(container.image).config.?Volumes.orValue({})) == 0)' diff --git a/other-vpol/block-large-images/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-large-images/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..61104e40a --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-large-images +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-large-images.yaml + - patch: + resource: + apiVersion: policies.kyverno.io/v1alpha1 + kind: ValidatingPolicy + metadata: + name: block-large-images + spec: + validationActions: + - Deny + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: pods-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pods-bad.yaml + - apply: + file: podcontrollers-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontrollers-bad.yaml diff --git a/other-vpol/block-large-images/.chainsaw-test/podcontrollers-bad.yaml b/other-vpol/block-large-images/.chainsaw-test/podcontrollers-bad.yaml new file mode 100644 index 000000000..638897f79 --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/podcontrollers-bad.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: nvidia/cuda:12.2.0-devel-ubi8 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: nvidia/cuda:12.2.0-devel-ubi8 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/block-large-images/.chainsaw-test/podcontrollers-good.yaml b/other-vpol/block-large-images/.chainsaw-test/podcontrollers-good.yaml new file mode 100644 index 000000000..9b951e23e --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/podcontrollers-good.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "* * * * *" + jobTemplate: + spec: + template: + spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.35 + restartPolicy: OnFailure \ No newline at end of file diff --git a/other-vpol/block-large-images/.chainsaw-test/pods-bad.yaml b/other-vpol/block-large-images/.chainsaw-test/pods-bad.yaml new file mode 100644 index 000000000..67de571ea --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/pods-bad.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: image-vol + image: nvidia/cuda:12.2.0-devel-ubi8 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 + - name: image-vol + image: nvidia/cuda:12.2.0-devel-ubi8 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: image-vol + image: nvidia/cuda:12.2.0-devel-ubi8 + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.35 \ No newline at end of file diff --git a/other-vpol/block-large-images/.chainsaw-test/pods-good.yaml b/other-vpol/block-large-images/.chainsaw-test/pods-good.yaml new file mode 100644 index 000000000..6b3f55eb7 --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/pods-good.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: busybox + image: ghcr.io/kyverno/test-busybox:1.28 + - name: busybox02 + image: ghcr.io/kyverno/test-busybox:1.28 \ No newline at end of file diff --git a/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml new file mode 100755 index 000000000..1eb7f392d --- /dev/null +++ b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,13 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-large-images +status: + conditionStatus: + conditions: + - reason: Succeeded + type: WebhookConfigured + status: "True" + - reason: Succeeded + type: RBACPermissionsGranted + status: "True" diff --git a/other-vpol/block-large-images/artifacthub-pkg.yml b/other-vpol/block-large-images/artifacthub-pkg.yml new file mode 100644 index 000000000..fb972c053 --- /dev/null +++ b/other-vpol/block-large-images/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: block-large-images +version: 1.0.0 +displayName: Block Large Images in ValidatingPolicy +description: >- + Pods which run containers of very large image size take longer to pull and require more space to store. A user may either inadvertently or purposefully name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-large-images/block-large-images.yaml + ``` +keywords: + - kyverno + - Other + - ValidatingPolicy +readme: | + Pods which run containers of very large image size take longer to pull and require more space to store. A user may either inadvertently or purposefully name an image which is unusually large to disrupt operations. This policy checks the size of every container image and blocks if it is over 2 Gibibytes. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other in ValidatingPolicy" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: 5158f76ea09ff1677b46b8655a22045b106ad4f8715e87b3d0998af2589f6290 +createdAt: "2025-11-27T18:39:22Z" diff --git a/other-vpol/block-large-images/block-large-images.yaml b/other-vpol/block-large-images/block-large-images.yaml new file mode 100644 index 000000000..45445f42f --- /dev/null +++ b/other-vpol/block-large-images/block-large-images.yaml @@ -0,0 +1,34 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-large-images + annotations: + policies.kyverno.io/title: Block Large Images + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + Pods which run containers of very large image size take longer to pull + and require more space to store. A user may either inadvertently or purposefully + name an image which is unusually large to disrupt operations. This policy + checks the size of every container image and blocks if it is over 2 Gibibytes. +spec: + evaluation: + background: + enabled: true + validationActions: ["Audit"] + variables: + - name: allContainers + expression: 'object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])' + - name: maxSizeBytes + expression: '2147483648' + matchConstraints: + resourceRules: + - resources: ["pods"] + operations: ["CREATE", "UPDATE"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - message: "images with size greater than 2Gi not allowed" + expression: 'variables.allContainers.all(container, image.GetMetadata(container.image).manifest.layers.map(layer, layer.size).sum() <= variables.maxSizeBytes)' From 28e7db2a2a992f1a4519b7c6e3a9c1d4ab3715e2 Mon Sep 17 00:00:00 2001 From: Mohd Kamaal <102820439+Mohdcode@users.noreply.github.com> Date: Mon, 1 Dec 2025 14:51:17 +0530 Subject: [PATCH 10/14] add vpol dir to CI (#1389) * add dir in ci Signed-off-by: Mohd Kamaal * correction in test.yaml Signed-off-by: Mohd Kamaal * update policy-ready Signed-off-by: Mohd Kamaal * fix assertion file Signed-off-by: Mohd Kamaal * lint fix Signed-off-by: Mohd Kamaal --------- Signed-off-by: Mohd Kamaal Co-authored-by: Mohd Kamaal Signed-off-by: Brandon Metcalf --- .github/workflows/test.yml | 43 +++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 17 +++++--- .../.chainsaw-test/policy-ready.yaml | 19 ++++---- .../artifacthub-pkg.yml | 2 +- .../block-ephemeral-containers.yaml | 2 +- .../.chainsaw-test/policy-ready.yaml | 17 +++++--- .../.chainsaw-test/policy-ready.yaml | 17 +++++--- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++----- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 17 +++++--- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 16 ++++--- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++----- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../chainsaw-step-01-assert-1.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 21 +++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 ++++---- 79 files changed, 803 insertions(+), 614 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 568b66280..f22550e43 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -729,6 +729,27 @@ jobs: path: other shard-index: ${{ matrix.shard-index }} shard-count: 9 + + other-vpol: + strategy: + fail-fast: false + matrix: + k8s-version: [v1.30.13, v1.31.9, v1.32.5, v1.33.1] + shard-index: [0,1,2,3,4,5,6,7,8] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - name: Setup Environment + uses: ./.github/actions/setup-env + with: + k8s-version: ${{ matrix.k8s-version }} + - name: Run Tests + uses: ./.github/actions/run-tests + with: + path: other-vpol + shard-index: ${{ matrix.shard-index }} + shard-count: 9 other-mpol: strategy: @@ -834,6 +855,24 @@ jobs: path: pod-security-cel shard-index: ${{ matrix.shard-index }} shard-count: 3 + + pod-security-vpol: + strategy: + fail-fast: false + matrix: + k8s-version: [v1.30.13, v1.31.9, v1.32.5, v1.33.1] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + - name: Setup Environment + uses: ./.github/actions/setup-env + with: + k8s-version: ${{ matrix.k8s-version }} + - name: Run Tests + uses: ./.github/actions/run-tests + with: + path: pod-security-vpol psa: strategy: @@ -1128,11 +1167,13 @@ jobs: - openshift - openshift-cel - other + - other-vpol - other-mpol - other-cel - other-gpol - pod-security - pod-security-cel + - pod-security-vpol - psa - psa-cel - psa-mpol @@ -1194,11 +1235,13 @@ jobs: - openshift - openshift-cel - other + - other-vpol - other-mpol - other-cel - other-gpol - pod-security - pod-security-cel + - pod-security-vpol - psa - psa-cel - psa-mpol diff --git a/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml b/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml index 83efd0aef..0f2ace6fd 100644 --- a/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: advanced-restrict-image-registries status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml index 5256f17fd..b5c03e863 100755 --- a/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: allowed-annotations status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml b/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml index 9df90939d..1f0563919 100755 --- a/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: allowed-podpriorities status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml index ecdaa8d83..cf5d7e296 100644 --- a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,13 @@ metadata: name: block-cluster-admin-from-ns status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" \ No newline at end of file + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml index a5f04f3ac..6e8ff7218 100755 --- a/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: block-ephemeral-containers status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - # - message: 'Policy is not ready for reporting, missing permissions: get /v1, - # Resource=pods/ephemeralcontainers: ; list /v1, Resource=pods/ephemeralcontainers: - # ; watch /v1, Resource=pods/ephemeralcontainers: .' - - reason: Failed - status: "False" - type: RBACPermissionsGranted + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml b/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml index 9c81e9beb..5a4e709df 100644 --- a/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml +++ b/other-vpol/block-ephemeral-containers/artifacthub-pkg.yml @@ -19,7 +19,7 @@ annotations: kyverno/category: "Other in Vpol" kyverno/kubernetesVersion: "1.30" kyverno/subject: "Pod" -digest: e203b4fbf92b1a32eb78778c6303a4f0fbe5e450f0b15ab730fd3bbd0455ee4f +digest: 20ba872d7f176b42b8d4f04ed4f663bdb80d75efaa14cd6ed53855181b63acc3 createdAt: "2025-05-11T17:46:12Z" diff --git a/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml b/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml index ace0a03ad..06ec75196 100644 --- a/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml +++ b/other-vpol/block-ephemeral-containers/block-ephemeral-containers.yaml @@ -13,7 +13,7 @@ spec: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] - resources: ["pods"] + resources: ["pods", "pods/ephemeralcontainers"] validations: - expression: >- object.spec.?ephemeralContainers.orValue([]).size() == 0 diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml index 2b6f77a27..91e957ea0 100755 --- a/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,13 @@ metadata: name: block-images-with-volumes status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml index 1eb7f392d..25e923303 100755 --- a/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,13 @@ metadata: name: block-large-images status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml b/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml index 0e5131fe1..aac4682ca 100755 --- a/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: check-env-vars status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml b/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml index c67eeec83..2f2c9f98c 100644 --- a/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: check-serviceaccount-secrets status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml b/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml index 85f1b26b8..37507d1d3 100755 --- a/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: deny-commands-in-exec-probe status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml b/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml index 5f5b50e61..ab1640be1 100644 --- a/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml @@ -3,13 +3,13 @@ kind: ValidatingPolicy metadata: name: deny-secret-service-account-token-type status: - conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - - + conditionStatus: + conditions: + - reason: Succeeded + status: "True" + type: WebhookConfigured + - reason: Failed + status: "False" + type: RBACPermissionsGranted + + \ No newline at end of file diff --git a/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml index ed2a7189d..e68bc258f 100755 --- a/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: no-secrets status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml index 438f332dc..8e3bd9c80 100755 --- a/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: no-localhost-service status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml index 61a8f6758..065f0dad5 100755 --- a/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: secrets-not-from-env-vars status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml b/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml index da1799d1d..566bba0ae 100755 --- a/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: docker-socket-check status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml index c4346035b..517f7449b 100755 --- a/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: pod-lifetime status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml index 5086ad048..07c8cadfa 100755 --- a/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: validate-probes status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml index 0565dc0e2..0ea85fe4b 100755 --- a/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: ensure-readonly-hostpath status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml b/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml index 4d5c19982..77827d4c3 100755 --- a/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: exclude-namespaces-example status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml index aeadd95a5..db1c74c03 100755 --- a/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: forbid-cpu-limits status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml index 6d129174b..5c893017f 100755 --- a/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: imagepullpolicy-always status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml index d04eaff7d..1e4e21799 100755 --- a/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: ingress-host-match-tls status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml index e2869dfc3..c6b48ac65 100755 --- a/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: limit-containers-per-pod status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml b/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml index 7b287f722..9d3bea3a0 100755 --- a/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: limit-hostpath-vols status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml index 744a709bf..74c763c1f 100755 --- a/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: memory-requests-equal-limits status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml index 47e1c6dbf..4c1397942 100644 --- a/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: metadata-match-regex status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml index c047a7a47..f5f22f3bf 100755 --- a/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: pdb-maxunavailable status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml index 43c61a40e..53266b878 100755 --- a/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: prevent-bare-pods status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml index e92858db7..3e2823b87 100644 --- a/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: prevent-cr8escape status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml index 078df664d..05f77bdfd 100755 --- a/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: require-annotations status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml b/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml index 59bec927f..bba9e117c 100755 --- a/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-container-port-names status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml b/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml index 928994bc5..aa5354a6e 100755 --- a/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: deployment-has-multiple-replicas status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml index 7a33b5445..3a2791b72 100755 --- a/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-emptydir-requests-and-limits status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml b/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml index abdbcec1e..455e699c3 100755 --- a/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: require-image-checksum status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml b/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml index 0b19bae05..9e96555c6 100755 --- a/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: require-ingress-https status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml b/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml index f183afaa9..0111192f5 100755 --- a/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-non-root-groups status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml b/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml index 3d56307f5..57b582c51 100644 --- a/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-pod-priorityclassname status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml b/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml index 8206457d4..1981855e1 100755 --- a/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: require-qos-burstable status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml b/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml index d0f95e4b7..7d1142eb7 100755 --- a/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-qos-guaranteed status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml b/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml index 3f3b5cc4a..ded4bd068 100755 --- a/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: require-storageclass status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml index 846005588..d06cee8d3 100755 --- a/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-annotations status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml index 2be979aca..4742427a2 100755 --- a/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-controlplane-scheduling status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml index 3eb9d59ea..527c2dfa6 100644 --- a/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-deprecated-registry status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml index 9a3436c47..20a0659d3 100755 --- a/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-ingress-classes status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml index a32c00ad3..f1746ce11 100755 --- a/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-ingress-defaultbackend status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml index 4b32c559f..5dae5a33b 100755 --- a/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-ingress-wildcard status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml index 90f0ea4ea..46ccadbc5 100644 --- a/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,13 @@ metadata: name: restrict-jobs status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" \ No newline at end of file + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml index f8de530aa..e659320fb 100755 --- a/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: no-loadbalancer-service status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml index e12d6039d..e0cc603ab 100755 --- a/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-networkpolicy-empty-podselector status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml index f611d349d..9df4c9c0e 100755 --- a/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-node-affinity status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml index fa27d6d8c..9fdbdd30c 100644 --- a/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,12 @@ metadata: name: restrict-node-label-creation status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" \ No newline at end of file + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml index f47ef2b49..71dc60422 100755 --- a/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: restrict-pod-controller-serviceaccount-updates status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml index d18327550..eaed9ba33 100644 --- a/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-sa-automount-sa-token status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml index 7ce60eaaf..4f54a9dea 100755 --- a/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-secrets-by-name status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml index f689b4c76..e354f80e3 100755 --- a/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: restrict-service-port-range status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml index bc99c4962..2fbb5f87d 100755 --- a/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: validate-userid-groupid-fsgroup status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml index b0547b28a..3003ad91a 100755 --- a/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml @@ -3,13 +3,13 @@ kind: ValidatingPolicy metadata: name: restrict-wildcard-verbs status: - conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - - + conditionStatus: + conditions: + - reason: Succeeded + status: "True" + type: WebhookConfigured + - reason: Failed + status: "False" + type: RBACPermissionsGranted + + \ No newline at end of file diff --git a/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml b/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml index 4114e04ec..65685ac54 100755 --- a/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: topologyspreadconstraints-policy status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml index d88188524..8265f8e19 100755 --- a/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -4,11 +4,13 @@ metadata: name: unique-ingress-path status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml b/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml index b69a85438..e24929cc6 100644 --- a/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml +++ b/other/verify-image-ivpol/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,13 @@ metadata: name: verify-image-ivpol status: conditionStatus: - conditions: - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - type: RBACPermissionsGranted - message: "" - ready: true + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/pod-security-vpol/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml index ae6c43aba..6cdf0779e 100755 --- a/pod-security-vpol/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-capabilities/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,14 @@ metadata: name: disallow-capabilities status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml index 428782e11..e6b1a0177 100755 --- a/pod-security-vpol/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-host-namespaces/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-host-namespaces status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml index 0edff4ca7..a3746fa26 100755 --- a/pod-security-vpol/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-host-path/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-host-path status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml index b98f5de7f..b87ddf8f7 100755 --- a/pod-security-vpol/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-host-ports/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-host-ports status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml index bd96b64aa..ebd0c8578 100755 --- a/pod-security-vpol/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-host-process/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-host-process status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml index 898425ea7..821855178 100755 --- a/pod-security-vpol/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-privileged-containers/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-privileged-containers status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml index 2851f8864..d32e4a32d 100755 --- a/pod-security-vpol/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-proc-mount/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-proc-mount status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml index 748ef70cc..89998ad84 100755 --- a/pod-security-vpol/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/disallow-selinux/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-selinux status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml index 2dc9766b9..825b8600c 100755 --- a/pod-security-vpol/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/restrict-seccomp/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: restrict-seccomp status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml index 1d9a82bed..f225ac605 100755 --- a/pod-security-vpol/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/baseline/restrict-sysctls/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: restrict-sysctls status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml index 2d7f7974f..5c79738e8 100755 --- a/pod-security-vpol/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/disallow-capabilities-strict/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-capabilities-strict status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml index bf3bf8aaf..92c483014 100755 --- a/pod-security-vpol/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/disallow-privilege-escalation/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: disallow-privilege-escalation status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml index 847084844..2581ac034 100755 --- a/pod-security-vpol/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/require-run-as-non-root-user/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-run-as-non-root-user status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml index 6e55db09e..bba4f6463 100755 --- a/pod-security-vpol/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/require-run-as-nonroot/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: require-run-as-nonroot status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml index ac0438730..7a16b831a 100755 --- a/pod-security-vpol/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/restrict-seccomp-strict/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: restrict-seccomp-strict status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + diff --git a/pod-security-vpol/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml b/pod-security-vpol/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml index adef186f1..a02345350 100755 --- a/pod-security-vpol/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml +++ b/pod-security-vpol/restricted/restrict-volume-types/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,13 @@ metadata: name: restrict-volume-types status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" - - reason: Succeeded - type: RBACPermissionsGranted - status: "True" - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + From adab977848a36ed4e115429c89103504e78ddc8b Mon Sep 17 00:00:00 2001 From: shuting Date: Mon, 1 Dec 2025 18:14:42 +0800 Subject: [PATCH 11/14] fix: double-quote format issue when redenring (#1390) Signed-off-by: ShutingZhao Signed-off-by: Brandon Metcalf --- other/block-kubectl-cp/artifacthub-pkg.yml | 2 +- other/block-kubectl-cp/block-kubectl-cp.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/other/block-kubectl-cp/artifacthub-pkg.yml b/other/block-kubectl-cp/artifacthub-pkg.yml index 75d898f25..88989190d 100644 --- a/other/block-kubectl-cp/artifacthub-pkg.yml +++ b/other/block-kubectl-cp/artifacthub-pkg.yml @@ -20,4 +20,4 @@ annotations: kyverno/category: "Sample" kyverno/kubernetesVersion: "1.23" kyverno/subject: "Pod" -digest: 86b8055d717a7395da4a5b52b848fbf51637c3e2dceb74525d5a8d7a2820c9dc +digest: a8c74ca3021b883b43e24d98856cdadb32e3b3f8a477810ef6f4324e32a1853e diff --git a/other/block-kubectl-cp/block-kubectl-cp.yaml b/other/block-kubectl-cp/block-kubectl-cp.yaml index 982d35fe8..48621d345 100644 --- a/other/block-kubectl-cp/block-kubectl-cp.yaml +++ b/other/block-kubectl-cp/block-kubectl-cp.yaml @@ -3,7 +3,7 @@ kind: ClusterPolicy metadata: name: block-kubectl-cp-by-pod-label annotations: - policies.kyverno.io/title: Block "kubectl cp" by Pod Label + policies.kyverno.io/title: Block kubectl cp command by Pod Label policies.kyverno.io/category: Sample policies.kyverno.io/minversion: 1.6.0 policies.kyverno.io/subject: Pod From 3c7718f5248b29c00c46a23657ee389e285d8f00 Mon Sep 17 00:00:00 2001 From: Mariam Fahmy Date: Tue, 2 Dec 2025 17:45:25 +0000 Subject: [PATCH 12/14] feat: add new vpols that match subresources (#1393) Signed-off-by: Mariam Fahmy Signed-off-by: Brandon Metcalf --- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 16 +++--- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/chainsaw-test.yaml | 29 +++++++++++ .../block-kubectl-cp/.chainsaw-test/ns.yaml | 4 ++ .../block-kubectl-cp/.chainsaw-test/pods.yaml | 13 +++++ .../.chainsaw-test/policy-ready.yaml | 15 ++++++ .../block-kubectl-cp/artifacthub-pkg.yml | 24 +++++++++ .../block-kubectl-cp/block-kubectl-cp.yaml | 34 +++++++++++++ .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/chainsaw-test.yaml | 47 +++++++++++++++++ .../.chainsaw-test/ns.yaml | 9 ++++ .../.chainsaw-test/podcontrollers.yaml | 51 +++++++++++++++++++ .../.chainsaw-test/pods.yaml | 24 +++++++++ .../.chainsaw-test/policy-ready.yaml | 15 ++++++ .../artifacthub-pkg.yml | 22 ++++++++ .../block-pod-exec-by-namespace.yaml | 29 +++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 39 ++++++++++++++ .../.chainsaw-test/ns.yaml | 4 ++ .../.chainsaw-test/pods.yaml | 51 +++++++++++++++++++ .../.chainsaw-test/policy-ready.yaml | 14 +++++ .../artifacthub-pkg.yml | 22 ++++++++ .../block-pod-exec-by-pod-label.yaml | 32 ++++++++++++ .../.chainsaw-test/chainsaw-test.yaml | 42 +++++++++++++++ .../.chainsaw-test/namespace.yaml | 4 ++ .../.chainsaw-test/pod-1.yaml | 17 +++++++ .../.chainsaw-test/pod-2.yaml | 12 +++++ .../.chainsaw-test/pod-3.yaml | 17 +++++++ .../.chainsaw-test/policy-ready.yaml | 15 ++++++ .../artifacthub-pkg.yml | 22 ++++++++ .../block-pod-exec-by-pod-name.yaml | 30 +++++++++++ .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 11 ++-- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 11 ++-- .../.chainsaw-test/policy-ready.yaml | 11 ++-- .../.chainsaw-test/policy-ready.yaml | 12 ++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 12 ++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 18 +++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 17 +++---- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 12 ++--- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 11 ++-- .../.chainsaw-test/policy-ready.yaml | 20 ++++---- .../.chainsaw-test/policy-ready.yaml | 12 ++--- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../.chainsaw-test/policy-ready.yaml | 19 ++++--- .../chainsaw-step-01-assert-1.yaml | 19 ++++--- 94 files changed, 1214 insertions(+), 653 deletions(-) create mode 100755 other-vpol/block-kubectl-cp/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-kubectl-cp/.chainsaw-test/ns.yaml create mode 100644 other-vpol/block-kubectl-cp/.chainsaw-test/pods.yaml create mode 100644 other-vpol/block-kubectl-cp/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-kubectl-cp/artifacthub-pkg.yml create mode 100644 other-vpol/block-kubectl-cp/block-kubectl-cp.yaml create mode 100755 other-vpol/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-pod-exec-by-namespace/.chainsaw-test/ns.yaml create mode 100644 other-vpol/block-pod-exec-by-namespace/.chainsaw-test/podcontrollers.yaml create mode 100644 other-vpol/block-pod-exec-by-namespace/.chainsaw-test/pods.yaml create mode 100644 other-vpol/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-pod-exec-by-namespace/artifacthub-pkg.yml create mode 100644 other-vpol/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/ns.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/pods.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-label/artifacthub-pkg.yml create mode 100644 other-vpol/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/namespace.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-1.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-2.yaml create mode 100755 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-3.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml create mode 100644 other-vpol/block-pod-exec-by-pod-name/artifacthub-pkg.yml create mode 100644 other-vpol/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml diff --git a/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml b/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml index 0f2ace6fd..5d0c3f2d2 100644 --- a/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/advanced-restrict-image-registries/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: advanced-restrict-image-registries status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml index b5c03e863..12f58750d 100755 --- a/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/allowed-annotations/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,14 @@ metadata: name: allowed-annotations status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml b/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml index 1f0563919..275093e98 100755 --- a/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/allowed-pod-priorities/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,14 @@ metadata: name: allowed-podpriorities status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml index cf5d7e296..c36daf324 100644 --- a/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-cluster-admin-from-ns/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: block-cluster-admin-from-ns status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml b/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml index 6e8ff7218..4ed134580 100755 --- a/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-ephemeral-containers/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,12 @@ metadata: name: block-ephemeral-containers status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - reason: Failed - status: "False" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml index 91e957ea0..628c5433d 100755 --- a/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-images-with-volumes/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: block-images-with-volumes status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/block-kubectl-cp/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-kubectl-cp/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..649401c16 --- /dev/null +++ b/other-vpol/block-kubectl-cp/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,29 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-kubectl-cp-by-pod-label +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-kubectl-cp.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: pods.yaml + - name: step-03 + try: + - script: + content: if kubectl cp -n bkc-podlabel-ns pod01:/test1.txt ./test1.txt; then exit 1;else + exit 0; fi + - name: step-04 + try: + - script: + content: rm -rf ./test1.txt diff --git a/other-vpol/block-kubectl-cp/.chainsaw-test/ns.yaml b/other-vpol/block-kubectl-cp/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..83508f743 --- /dev/null +++ b/other-vpol/block-kubectl-cp/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bkc-podlabel-ns diff --git a/other-vpol/block-kubectl-cp/.chainsaw-test/pods.yaml b/other-vpol/block-kubectl-cp/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..ee38f109b --- /dev/null +++ b/other-vpol/block-kubectl-cp/.chainsaw-test/pods.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: bkc-podlabel-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: [ "/bin/sh", "-c" ] + args: + - touch /test1.txt + - sleep 300 diff --git a/other-vpol/block-kubectl-cp/.chainsaw-test/policy-ready.yaml b/other-vpol/block-kubectl-cp/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..94e046c62 --- /dev/null +++ b/other-vpol/block-kubectl-cp/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,15 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-kubectl-cp +status: + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-kubectl-cp/artifacthub-pkg.yml b/other-vpol/block-kubectl-cp/artifacthub-pkg.yml new file mode 100644 index 000000000..a1c862bab --- /dev/null +++ b/other-vpol/block-kubectl-cp/artifacthub-pkg.yml @@ -0,0 +1,24 @@ +name: block-kubectl-cp +version: 1.0.0 +displayName: Block "kubectl cp" by Pod Label in ValidatingPolicy +description: >- + The `kubectl cp` command allows copying files between a local machine and a Pod's container, which may introduce security risks. This policy blocks the use of the `kubectl cp` command for Pods with the label `block-kubectl-cp=true`, preventing unauthorized data transfers. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-kubectl-cp/block-kubectl-cp.yaml + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-kubectl-cp/block-kubectl-cp.yaml +keywords: + - kyverno + - kubectl + - other + - ValidatingPolicy +readme: | + The kubectl cp command allows copying files between a local machine and a Pod's container, but it can be misused for unauthorized data transfers. + This policy blocks the kubectl cp command for Pods labeled with block-kubectl-cp=true. +annotations: + kyverno/category: "Sample" + kyverno/kubernetesVersion: "1.30" + kyverno/subject: "Pod" +digest: 01a721b4a1ef2584aef21bcfbafa392ec3b6181054b331f11e570b146a0a9c6d +createdAt: "2025-12-02T13:59:47Z" diff --git a/other-vpol/block-kubectl-cp/block-kubectl-cp.yaml b/other-vpol/block-kubectl-cp/block-kubectl-cp.yaml new file mode 100644 index 000000000..3138ad7f7 --- /dev/null +++ b/other-vpol/block-kubectl-cp/block-kubectl-cp.yaml @@ -0,0 +1,34 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: block-kubectl-cp + annotations: + policies.kyverno.io/title: Block kubectl cp command by Pod Label + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The kubectl cp command is used to copy files between a local machine and a Pod's container. + While this functionality is useful for transferring data, it may introduce security risks, + such as unauthorized data exfiltration or modification. This policy blocks the use of the + kubectl cp command on all Pods with label `block-kubectl-cp=true`, ensuring that sensitive + workloads are protected from unintended file transfers. Other kubectl operations are unaffected, + allowing for normal Pod management while preventing potential misuse of file copy capabilities. +spec: + evaluation: + background: + enabled: true + validationActions: ["Deny"] + matchConstraints: + resourceRules: + - resources: ["pods/exec"] + operations: ["CONNECT"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - message: > + Cannot use `kubectl cp` on pods + expression: > + object.command.size() >= 2 + && object.command[0] != "tar" + && object.command[1] != "cf" diff --git a/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml index 25e923303..277b95045 100755 --- a/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/block-large-images/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: block-large-images status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..45f6044cb --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,47 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-pod-exec-by-namespace +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-pod-exec-by-namespace.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: pods.yaml + - apply: + file: podcontrollers.yaml + - name: step-03 + try: + - sleep: + duration: 5s + - name: step-04 + try: + - script: + content: if kubectl exec -n pci pod02 -- ls; then exit 1;else exit 0; fi + - script: + content: if kubectl exec -n pci deploy/deployment01 -- ls; then exit 1;else + exit 0; fi + - script: + content: kubectl exec -n block-pod-exec-ns pod01 -- ls + - script: + content: kubectl exec -n block-pod-exec-ns deploy/deployment02 -- ls + - name: step-99 + try: + - script: + content: kubectl delete deployments --all --force --grace-period=0 -n pci + - script: + content: kubectl delete deployments --all --force --grace-period=0 -n block-pod-exec-ns + - script: + content: kubectl delete pods --all --force --grace-period=0 -n pci + - script: + content: kubectl delete pods --all --force --grace-period=0 -n block-pod-exec-ns diff --git a/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/ns.yaml b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..35d994cea --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/ns.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: block-pod-exec-ns +--- +apiVersion: v1 +kind: Namespace +metadata: + name: pci \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/podcontrollers.yaml b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/podcontrollers.yaml new file mode 100644 index 000000000..1101c1cf9 --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/podcontrollers.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment01 + namespace: pci +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb + image: busybox:1.35 + command: ["sleep", "300"] + - name: bb2 + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: busybox + name: deployment02 + namespace: block-pod-exec-ns +spec: + replicas: 1 + selector: + matchLabels: + app: busybox + strategy: {} + template: + metadata: + labels: + app: busybox + spec: + containers: + - name: bb + image: busybox:1.35 + command: ["sleep", "300"] + - name: bb2 + image: busybox:1.35 + command: ["sleep", "300"] \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/pods.yaml b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..a7147fa37 --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/pods.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: block-pod-exec-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: pod02 + namespace: pci +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] + - name: busybox02 + image: busybox:1.35 + command: ["sleep", "300"] \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..dcdd30b3d --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,15 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-namespace-name +status: + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-namespace/artifacthub-pkg.yml b/other-vpol/block-pod-exec-by-namespace/artifacthub-pkg.yml new file mode 100644 index 000000000..10cce863a --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: block-pod-exec-by-namespace +version: 1.0.0 +displayName: Block Pod Exec by Namespace Name in ValidatingPolicy +description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml + ``` +keywords: + - kyverno + - Sample + - ValidatingPolicy +readme: | + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods in a Namespace called `pci`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 87239d5197cdad615045ecaa971112fce7b26f386474a7b766c084386f861488 +createdAt: "2025-12-02T13:59:47Z" diff --git a/other-vpol/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml b/other-vpol/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml new file mode 100644 index 000000000..9c7010b5b --- /dev/null +++ b/other-vpol/block-pod-exec-by-namespace/block-pod-exec-by-namespace.yaml @@ -0,0 +1,29 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-namespace-name + annotations: + policies.kyverno.io/title: Block Pod Exec by Namespace Name + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can + be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. + This policy blocks Pod exec commands to Pods in a Namespace called `pci`. +spec: + evaluation: + background: + enabled: true + validationActions: ["Deny"] + matchConstraints: + resourceRules: + - resources: ["pods/exec"] + operations: ["CONNECT"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - message: > + Pods in this namespace may not be exec'd into. + expression: > + request.namespace != "pci" diff --git a/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..e29738e7b --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,39 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-pod-exec-by-pod-label +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-pod-exec-by-pod-label.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: ns.yaml + - apply: + file: pods.yaml + - name: step-03 + try: + - sleep: + duration: 5s + - name: step-04 + try: + - script: + content: if kubectl exec -n bpe-podlabel-ns pod03 -- ls; then exit 1;else + exit 0; fi + - script: + content: kubectl exec -n bpe-podlabel-ns pod01 -- ls + - script: + content: kubectl exec -n bpe-podlabel-ns pod02 -- ls + - script: + content: kubectl exec -n bpe-podlabel-ns pod04 -- ls + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n bpe-podlabel-ns diff --git a/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/ns.yaml b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/ns.yaml new file mode 100644 index 000000000..92c152d2b --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bpe-podlabel-ns \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/pods.yaml b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/pods.yaml new file mode 100644 index 000000000..f40ce73bf --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/pods.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Pod +metadata: + name: pod01 + namespace: bpe-podlabel-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + name: pod02 + namespace: bpe-podlabel-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + foo: bar + exec: "false" + name: pod03 + namespace: bpe-podlabel-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] +--- +apiVersion: v1 +kind: Pod +metadata: + labels: + exec: "true" + foo: bar + name: pod04 + namespace: bpe-podlabel-ns +spec: + containers: + - name: busybox + image: busybox:1.35 + command: ["sleep", "300"] \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..7a719b0d8 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,14 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-pod-label +status: + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-pod-label/artifacthub-pkg.yml b/other-vpol/block-pod-exec-by-pod-label/artifacthub-pkg.yml new file mode 100644 index 000000000..26dff2c85 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: block-pod-exec-by-pod-label +version: 1.0.0 +displayName: Block Pod Exec by Pod Label in ValidatingPolicy +description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods having the label `exec=false`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml + ``` +keywords: + - kyverno + - Sample + - ValidatingPolicy +readme: | + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods having the label `exec=false`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: 6a600b7b9ddb201b36a4911443642fa0c4158499678c17d08bf285695a3c42b7 +createdAt: "2025-12-02T13:59:46Z" diff --git a/other-vpol/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml b/other-vpol/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml new file mode 100644 index 000000000..ef9d6ebc7 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-label/block-pod-exec-by-pod-label.yaml @@ -0,0 +1,32 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-pod-label + annotations: + policies.kyverno.io/title: Block Pod Exec by Pod Label + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can + be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. + This policy blocks Pod exec commands to Pods having the label `exec=false`. +spec: + evaluation: + background: + enabled: true + validationActions: ["Deny"] + matchConstraints: + resourceRules: + - resources: ["pods/exec"] + operations: ["CONNECT"] + apiGroups: [""] + apiVersions: ["v1"] + variables: + - name: pod + expression: resource.Get("v1", "pods", request.namespace, request.name) + validations: + - message: > + Pods in this namespace may not be exec'd into. + expression: > + variables.pod.metadata.?labels[?'exec'].orValue('') != 'false' diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml new file mode 100755 index 000000000..196a64465 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,42 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: block-pod-exec-by-pod-name +spec: + steps: + - name: step-01 + try: + - apply: + file: ../block-pod-exec-by-pod-name.yaml + - assert: + file: policy-ready.yaml + - name: step-02 + try: + - apply: + file: namespace.yaml + - apply: + file: pod-1.yaml + - apply: + file: pod-2.yaml + - apply: + file: pod-3.yaml + - name: step-03 + try: + - sleep: + duration: 5s + - name: step-04 + try: + - script: + content: if kubectl exec -n bpe-podname-ns myapp-maintenance-01 -- ls; then + exit 1;else exit 0; fi + - script: + content: if kubectl exec -n bpe-podname-ns myapp-maintenance-02 -- ls; then + exit 1;else exit 0; fi + - script: + content: kubectl exec -n bpe-podname-ns not-myapp -- ls + - name: step-99 + try: + - script: + content: kubectl delete all --all --force --grace-period=0 -n bpe-podname-ns diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/namespace.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/namespace.yaml new file mode 100755 index 000000000..fe29d53f8 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bpe-podname-ns diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-1.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-1.yaml new file mode 100755 index 000000000..270b158a1 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-maintenance-01 + namespace: bpe-podname-ns +spec: + containers: + - command: + - sleep + - "300" + image: busybox:1.35 + name: busybox + - command: + - sleep + - "300" + image: busybox:1.35 + name: busybox02 diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-2.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-2.yaml new file mode 100755 index 000000000..df5175c37 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-2.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-maintenance-02 + namespace: bpe-podname-ns +spec: + containers: + - command: + - sleep + - "300" + image: busybox:1.35 + name: busybox diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-3.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-3.yaml new file mode 100755 index 000000000..913624af6 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/pod-3.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: not-myapp + namespace: bpe-podname-ns +spec: + containers: + - command: + - sleep + - "300" + image: busybox:1.35 + name: busybox + - command: + - sleep + - "300" + image: busybox:1.35 + name: busybox02 diff --git a/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml new file mode 100644 index 000000000..3560b0172 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/.chainsaw-test/policy-ready.yaml @@ -0,0 +1,15 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-pod-name +status: + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured + \ No newline at end of file diff --git a/other-vpol/block-pod-exec-by-pod-name/artifacthub-pkg.yml b/other-vpol/block-pod-exec-by-pod-name/artifacthub-pkg.yml new file mode 100644 index 000000000..08079cc81 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: block-pod-exec-by-pod-name +version: 1.0.0 +displayName: Block Pod Exec by Pod Name in ValidatingPolicy +description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods beginning with the name `myapp-maintenance-`. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-vpol/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml + ``` +keywords: + - kyverno + - Sample + - ValidatingPolicy +readme: | + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. This policy blocks Pod exec commands to Pods beginning with the name `myapp-maintenance-`. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Sample" + kyverno/subject: "Pod" +digest: e4648f22588be1ffb8b9c966956f4000ef39307a469ec65161a167c7afb6d463 +createdAt: "2025-12-02T13:59:47Z" diff --git a/other-vpol/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml b/other-vpol/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml new file mode 100644 index 000000000..2121479e8 --- /dev/null +++ b/other-vpol/block-pod-exec-by-pod-name/block-pod-exec-by-pod-name.yaml @@ -0,0 +1,30 @@ +apiVersion: policies.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: deny-exec-by-pod-name + annotations: + policies.kyverno.io/title: Block Pod Exec by Pod Name + policies.kyverno.io/category: Sample + policies.kyverno.io/minversion: 1.15.0 + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + The `exec` command may be used to gain shell access, or run other commands, in a Pod's container. While this can + be useful for troubleshooting purposes, it could represent an attack vector and is discouraged. + This policy blocks Pod exec commands to Pods beginning with the name + `myapp-maintenance-`. +spec: + evaluation: + background: + enabled: true + validationActions: ["Deny"] + matchConstraints: + resourceRules: + - resources: ["pods/exec"] + operations: ["CONNECT"] + apiGroups: [""] + apiVersions: ["v1"] + validations: + - message: > + Exec'ing into Pods called "myapp-maintenance" is not allowed. + expression: > + !request.name.startsWith("myapp-maintenance-") diff --git a/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml b/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml index aac4682ca..c29f53a5c 100755 --- a/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/check-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,14 @@ metadata: name: check-env-vars status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml b/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml index 2f2c9f98c..4f7658656 100644 --- a/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/check-serviceaccount-secrets/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,14 @@ metadata: name: check-serviceaccount-secrets status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml b/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml index 37507d1d3..5f2fa3508 100755 --- a/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/deny-commands-in-exec-probe/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: deny-commands-in-exec-probe status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml b/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml index ab1640be1..4fc9b3167 100644 --- a/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/deny-secret-service-account-token-type/.chainsaw-test/policy-ready.yaml @@ -3,13 +3,13 @@ kind: ValidatingPolicy metadata: name: deny-secret-service-account-token-type status: - conditionStatus: - conditions: - - reason: Succeeded - status: "True" - type: WebhookConfigured - - reason: Failed - status: "False" - type: RBACPermissionsGranted - + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml index e68bc258f..5cf723aa8 100755 --- a/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-all-secrets/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: no-secrets status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml index 8e3bd9c80..0db2b9877 100755 --- a/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-localhost-services/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: no-localhost-service status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml b/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml index 065f0dad5..2c6e135d1 100755 --- a/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/disallow-secrets-from-env-vars/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: secrets-not-from-env-vars status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml b/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml index 566bba0ae..5851bf6d9 100755 --- a/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/docker-socket-requires-label/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: docker-socket-check status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml b/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml index 517f7449b..f257ce877 100755 --- a/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/enforce-pod-duration/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: pod-lifetime status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml b/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml index 07c8cadfa..e6b6db50a 100755 --- a/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ensure-probes-different/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: validate-probes status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml b/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml index 0ea85fe4b..8f6de0c52 100755 --- a/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ensure-readonly-hostpath/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: ensure-readonly-hostpath status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml b/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml index 77827d4c3..05a557927 100755 --- a/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/exclude-namespaces-dynamically/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: exclude-namespaces-example status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml index db1c74c03..97657596b 100755 --- a/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/forbid-cpu-limits/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: forbid-cpu-limits status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml b/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml index 5c893017f..3832c95c4 100755 --- a/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/imagepullpolicy-always/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: imagepullpolicy-always status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml b/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml index 1e4e21799..96742366c 100755 --- a/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/ingress-host-match-tls/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: ingress-host-match-tls status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml b/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml index c6b48ac65..5adbcf6d5 100755 --- a/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/limit-containers-per-pod/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: limit-containers-per-pod status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml b/other-vpol/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml index fff7a4f0e..20f1fba8b 100755 --- a/other-vpol/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/limit-hostpath-type-pv/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,11 @@ metadata: name: limit-hostpath-type-pv status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted \ No newline at end of file + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml b/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml index 9d3bea3a0..ca478e4b3 100755 --- a/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/limit-hostpath-vols/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: limit-hostpath-vols status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml index 74c763c1f..cfa2dae91 100755 --- a/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/memory-requests-equal-limits/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: memory-requests-equal-limits status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml b/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml index 4c1397942..628d13168 100644 --- a/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/metadata-match-regex/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: metadata-match-regex status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml b/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml index f5f22f3bf..425468fad 100755 --- a/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/pdb-maxunavailable/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,13 @@ metadata: name: pdb-maxunavailable status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml b/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml index 53266b878..f76625885 100755 --- a/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/prevent-bare-pods/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: prevent-bare-pods status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml b/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml index 3e2823b87..b960e7dd9 100644 --- a/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/prevent-cr8escape/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: prevent-cr8escape status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml index 05f77bdfd..861cc7840 100755 --- a/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-annotations/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: require-annotations status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml b/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml index bba9e117c..00651c999 100755 --- a/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-container-port-names/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: require-container-port-names status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml b/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml index aa5354a6e..8d5f4a59b 100755 --- a/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-deployments-have-multiple-replicas/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: deployment-has-multiple-replicas status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml b/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml index 3a2791b72..3b1896c89 100755 --- a/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-emptydir-requests-limits/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: require-emptydir-requests-and-limits status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml b/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml index 455e699c3..9c05a8f11 100755 --- a/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-image-checksum/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: require-image-checksum status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml b/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml index 9e96555c6..38790bc06 100755 --- a/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-ingress-https/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: require-ingress-https status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml b/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml index 0111192f5..1e60d0995 100755 --- a/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-non-root-groups/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: require-non-root-groups status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml b/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml index 57b582c51..b1426a748 100644 --- a/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-pod-priorityclassname/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: require-pod-priorityclassname status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml b/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml index 1981855e1..62fd6c62a 100755 --- a/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-qos-burstable/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: require-qos-burstable status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml b/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml index 7d1142eb7..4bde21150 100755 --- a/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-qos-guaranteed/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: require-qos-guaranteed status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml b/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml index ded4bd068..30c077977 100755 --- a/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/require-storageclass/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: require-storageclass status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml index d06cee8d3..c5844dd10 100755 --- a/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-annotations/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-annotations status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml index 1c85a6400..758fa0157 100755 --- a/other-vpol/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-binding-clusteradmin/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,11 @@ metadata: name: restrict-binding-clusteradmin status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted \ No newline at end of file + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml index 6553e7b60..7094ae244 100755 --- a/other-vpol/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-binding-system-groups/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,11 @@ metadata: name: restrict-binding-system-groups status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml index 92639fed6..3482a865f 100755 --- a/other-vpol/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-clusterrole-nodesproxy/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,11 @@ metadata: name: restrict-clusterrole-nodesproxy status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted - + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml index 4742427a2..84f9832ce 100755 --- a/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-controlplane-scheduling/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-controlplane-scheduling status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml index 527c2dfa6..2b3bfbcab 100644 --- a/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-deprecated-registry/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-deprecated-registry status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml index e9eb0513a..fb82e6e34 100755 --- a/other-vpol/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-escalation-verbs-roles/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,11 @@ metadata: name: restrict-escalation-verbs-roles status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted - + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml index 20a0659d3..49a7f39ba 100755 --- a/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-classes/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-ingress-classes status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml index f1746ce11..9a8ff6bd2 100755 --- a/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-defaultbackend/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-ingress-defaultbackend status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml index 5dae5a33b..b95d5f8c6 100755 --- a/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-ingress-wildcard/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-ingress-wildcard status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml index 46ccadbc5..eb4f8145a 100644 --- a/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-jobs/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,13 @@ metadata: name: restrict-jobs status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured \ No newline at end of file diff --git a/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml index e659320fb..da87af9d5 100755 --- a/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-loadbalancer/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: no-loadbalancer-service status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml index e0cc603ab..7ef769e7f 100755 --- a/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-networkpolicy-empty-podselector/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-networkpolicy-empty-podselector status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml index 9df4c9c0e..07396c50f 100755 --- a/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-node-affinity/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-node-affinity status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml index 9fdbdd30c..120fabba1 100644 --- a/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-node-label-creation/.chainsaw-test/policy-ready.yaml @@ -4,12 +4,11 @@ metadata: name: restrict-node-label-creation status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - reason: Failed - status: "False" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - \ No newline at end of file + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml index 71dc60422..d78b53ab2 100755 --- a/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-pod-controller-serviceaccount-updates/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: restrict-pod-controller-serviceaccount-updates status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml index eaed9ba33..37d648690 100644 --- a/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-sa-automount-sa-token/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-sa-automount-sa-token status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml index 4a6fcdf76..80540eaaf 100755 --- a/other-vpol/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-secret-role-verbs/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,11 @@ metadata: name: restrict-secret-role-verbs status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted - + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml index 4f54a9dea..1a2fb8c4a 100755 --- a/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-secrets-by-name/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-secrets-by-name status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml index e354f80e3..fb9b262ce 100755 --- a/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-service-port-range/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: restrict-service-port-range status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-storageclass/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-storageclass/.chainsaw-test/policy-ready.yaml index 39dfa04af..7b0956b56 100755 --- a/other-vpol/restrict-storageclass/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-storageclass/.chainsaw-test/policy-ready.yaml @@ -4,10 +4,11 @@ metadata: name: restrict-storageclass status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted \ No newline at end of file + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml index 2fbb5f87d..b25257318 100755 --- a/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-usergroup-fsgroup-id/.chainsaw-test/policy-ready.yaml @@ -4,14 +4,12 @@ metadata: name: validate-userid-groupid-fsgroup status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml index 880d25a10..cceb53a93 100755 --- a/other-vpol/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-wildcard-resources/.chainsaw-test/policy-ready.yaml @@ -4,11 +4,11 @@ metadata: name: restrict-wildcard-resources status: conditionStatus: - conditions: - - reason: Succeeded - type: WebhookConfigured - status: "True" + (conditions[?type == 'RBACPermissionsGranted']): - reason: Failed status: "False" - type: RBACPermissionsGranted - + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml b/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml index 3003ad91a..b113f21cb 100755 --- a/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/restrict-wildcard-verbs/.chainsaw-test/policy-ready.yaml @@ -3,13 +3,12 @@ kind: ValidatingPolicy metadata: name: restrict-wildcard-verbs status: - conditionStatus: - conditions: - - reason: Succeeded - status: "True" - type: WebhookConfigured - - reason: Failed - status: "False" - type: RBACPermissionsGranted - - \ No newline at end of file + conditionStatus: + (conditions[?type == 'RBACPermissionsGranted']): + - reason: Failed + status: "False" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml b/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml index 65685ac54..b4e29e35f 100755 --- a/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml +++ b/other-vpol/topologyspreadconstraints-policy/.chainsaw-test/policy-ready.yaml @@ -4,13 +4,12 @@ metadata: name: topologyspreadconstraints-policy status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured diff --git a/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml index 8265f8e19..477837f2d 100755 --- a/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml +++ b/other-vpol/unique-ingress-paths/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -4,13 +4,12 @@ metadata: name: unique-ingress-path status: conditionStatus: - (conditions[?type == 'RBACPermissionsGranted']): - - message: Policy is ready for reporting. - reason: Succeeded - status: "True" - (conditions[?type == 'WebhookConfigured']): - - message: Webhook configured. - reason: Succeeded - status: "True" - type: WebhookConfigured - + (conditions[?type == 'RBACPermissionsGranted']): + - message: Policy is ready for reporting. + reason: Succeeded + status: "True" + (conditions[?type == 'WebhookConfigured']): + - message: Webhook configured. + reason: Succeeded + status: "True" + type: WebhookConfigured From dc1fecfeec97d2805751b9aafa00dbf7c0d2516f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 3 Dec 2025 17:17:18 +0100 Subject: [PATCH 13/14] build(deps): Bump actions/checkout from 6.0.0 to 6.0.1 (#1394) Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/1af3b93b6815bc44a9784bd300feb67ff0d1eeb3...8e8c483db84b4bee98b60c0593521ed34d9990e8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Brandon Metcalf --- .github/workflows/check-actions.yaml | 2 +- .github/workflows/cherry-pick-on-merge.yaml | 2 +- .github/workflows/ci.yml | 10 +- .github/workflows/comment-commands.yaml | 2 +- .github/workflows/test.yml | 120 ++++++++++---------- 5 files changed, 68 insertions(+), 68 deletions(-) diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index 8a70576f7..179db9e8c 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Ensure SHA pinned actions uses: zgosalvez/github-actions-ensure-sha-pinned-actions@9e9574ef04ea69da568d6249bd69539ccc704e74 # v4.0.0 with: diff --git a/.github/workflows/cherry-pick-on-merge.yaml b/.github/workflows/cherry-pick-on-merge.yaml index ee9eefe7b..a63c974f2 100644 --- a/.github/workflows/cherry-pick-on-merge.yaml +++ b/.github/workflows/cherry-pick-on-merge.yaml @@ -40,7 +40,7 @@ jobs: - name: Checkout repository if: steps.cherry.outputs.result != '[]' - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c3f2a3de5..1d41300f5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: options: --user root steps: - name: Checkout code - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: policies - name: Run ah lint @@ -31,14 +31,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: policies - name: Validate all policies run: ./.hack/verify-files-structure.sh working-directory: policies - name: Clone Kyverno - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: kyverno/kyverno path: kyverno @@ -56,11 +56,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: path: policies - name: Checkout Kyverno - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: repository: kyverno/kyverno path: kyverno diff --git a/.github/workflows/comment-commands.yaml b/.github/workflows/comment-commands.yaml index 667644b09..58241184a 100644 --- a/.github/workflows/comment-commands.yaml +++ b/.github/workflows/comment-commands.yaml @@ -95,7 +95,7 @@ jobs: - name: Checkout repository if: fromJSON(steps.check-merged.outputs.result).merged == true - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f22550e43..0b7de04ba 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -60,7 +60,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -78,7 +78,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -96,7 +96,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -115,7 +115,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -136,7 +136,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -156,7 +156,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -175,7 +175,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -195,7 +195,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -213,7 +213,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -231,7 +231,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -249,7 +249,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -267,7 +267,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -285,7 +285,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -303,7 +303,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -321,7 +321,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -339,7 +339,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -357,7 +357,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -375,7 +375,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -393,7 +393,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -411,7 +411,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -429,7 +429,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -447,7 +447,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -465,7 +465,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -483,7 +483,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -501,7 +501,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -519,7 +519,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -537,7 +537,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -555,7 +555,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -573,7 +573,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -591,7 +591,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -609,7 +609,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -627,7 +627,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -645,7 +645,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -663,7 +663,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -681,7 +681,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -699,7 +699,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -718,7 +718,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -739,7 +739,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -760,7 +760,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -781,7 +781,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -802,7 +802,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -823,7 +823,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -844,7 +844,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -864,7 +864,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -882,7 +882,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -900,7 +900,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -918,7 +918,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -936,7 +936,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -954,7 +954,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -972,7 +972,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -990,7 +990,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1008,7 +1008,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1026,7 +1026,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1044,7 +1044,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1062,7 +1062,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1080,7 +1080,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1098,7 +1098,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: @@ -1116,7 +1116,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Setup Environment uses: ./.github/actions/setup-env with: From 5aafcb16247859f3579521a4955d1d996f5d532f Mon Sep 17 00:00:00 2001 From: Brandon Metcalf Date: Wed, 3 Dec 2025 11:32:33 -0600 Subject: [PATCH 14/14] update evict to disrupt Signed-off-by: Brandon Metcalf --- .../.chainsaw-test/chainsaw-test.yaml | 0 .../.chainsaw-test/patched03.yaml | 0 .../.chainsaw-test/patched04.yaml | 0 .../.chainsaw-test/policy-ready.yaml | 0 .../.chainsaw-test/resource-others.yaml | 0 .../.kyverno-test/kyverno-test.yaml | 0 .../.kyverno-test/patched01.yaml | 0 .../.kyverno-test/patched02.yaml | 0 .../.kyverno-test/resource.yaml | 0 .../add-karpenter-donot-disrupt.yaml} | 18 +++++++-------- .../artifacthub-pkg.yml | 23 +++++++++++++++++++ .../artifacthub-pkg.yml | 23 ------------------- 12 files changed, 32 insertions(+), 32 deletions(-) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/chainsaw-test.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/patched03.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/patched04.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/policy-ready.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.chainsaw-test/resource-others.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/kyverno-test.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/patched01.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/patched02.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict => add-karpenter-donot-disrupt}/.kyverno-test/resource.yaml (100%) rename karpenter-mpol/{add-karpenter-donot-evict/add-karpenter-donot-evict.yaml => add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml} (73%) create mode 100644 karpenter-mpol/add-karpenter-donot-disrupt/artifacthub-pkg.yml delete mode 100644 karpenter-mpol/add-karpenter-donot-evict/artifacthub-pkg.yml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/chainsaw-test.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/chainsaw-test.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/chainsaw-test.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/patched03.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/patched03.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/patched03.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/patched04.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/patched04.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/patched04.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/policy-ready.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/policy-ready.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/policy-ready.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/resource-others.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.chainsaw-test/resource-others.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.chainsaw-test/resource-others.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/kyverno-test.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/kyverno-test.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/kyverno-test.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/kyverno-test.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/patched01.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/patched01.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/patched01.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/patched01.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/patched02.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/patched02.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/patched02.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/patched02.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/resource.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/resource.yaml similarity index 100% rename from karpenter-mpol/add-karpenter-donot-evict/.kyverno-test/resource.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/.kyverno-test/resource.yaml diff --git a/karpenter-mpol/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml b/karpenter-mpol/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml similarity index 73% rename from karpenter-mpol/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml rename to karpenter-mpol/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml index 35564aa3d..a1592ebca 100644 --- a/karpenter-mpol/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml +++ b/karpenter-mpol/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml @@ -1,9 +1,9 @@ apiVersion: policies.kyverno.io/v1alpha1 kind: MutatingPolicy metadata: - name: add-karpenter-donot-evict + name: add-karpenter-donot-disrupt annotations: - policies.kyverno.io/title: Add Karpenter Do Not Evict + policies.kyverno.io/title: Add Karpenter Do Not Disrupt policies.kyverno.io/category: Karpenter, EKS Best Practices policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod @@ -21,15 +21,15 @@ spec: object.kind == "Job" ? (has(object.spec.template.metadata) ? (has(object.spec.template.metadata.annotations) ? - [JSONPatch{op: "add", path: "/spec/template/metadata/annotations/" + jsonpatch.escapeKey("karpenter.sh/do-not-evict"), value: "true"}] : - [JSONPatch{op: "add", path: "/spec/template/metadata/annotations", value: {"karpenter.sh/do-not-evict": "true"}}] + [JSONPatch{op: "add", path: "/spec/template/metadata/annotations/" + jsonpatch.escapeKey("karpenter.sh/do-not-disrupt"), value: "true"}] : + [JSONPatch{op: "add", path: "/spec/template/metadata/annotations", value: {"karpenter.sh/do-not-disrupt": "true"}}] ) : - [JSONPatch{op: "add", path: "/spec/template/metadata", value: {"annotations": {"karpenter.sh/do-not-evict": "true"}}}] + [JSONPatch{op: "add", path: "/spec/template/metadata", value: {"annotations": {"karpenter.sh/do-not-disrupt": "true"}}}] ) : (has(object.spec.jobTemplate.spec.template.metadata) ? (has(object.spec.jobTemplate.spec.template.metadata.annotations) ? - [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata/annotations/" + jsonpatch.escapeKey("karpenter.sh/do-not-evict"), value: "true"}] : - [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata/annotations", value: {"karpenter.sh/do-not-evict": "true"}}] + [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata/annotations/" + jsonpatch.escapeKey("karpenter.sh/do-not-disrupt"), value: "true"}] : + [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata/annotations", value: {"karpenter.sh/do-not-disrupt": "true"}}] ) : - [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata", value: {"annotations": {"karpenter.sh/do-not-evict": "true"}}}] - ) \ No newline at end of file + [JSONPatch{op: "add", path: "/spec/jobTemplate/spec/template/metadata", value: {"annotations": {"karpenter.sh/do-not-disrupt": "true"}}}] + ) diff --git a/karpenter-mpol/add-karpenter-donot-disrupt/artifacthub-pkg.yml b/karpenter-mpol/add-karpenter-donot-disrupt/artifacthub-pkg.yml new file mode 100644 index 000000000..6aced67e3 --- /dev/null +++ b/karpenter-mpol/add-karpenter-donot-disrupt/artifacthub-pkg.yml @@ -0,0 +1,23 @@ +name: add-karpenter-donot-disrupt +version: 1.0.0 +displayName: Add Karpenter Do Not Disrupt +createdAt: "2023-04-10T20:11:12.000Z" +description: >- + If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter-mpol/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml + ``` +keywords: + - kyverno + - Karpenter + - EKS Best Practices +readme: | + If a Pod exists with the annotation `karpenter.sh/do-not-disrupt: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-disrupt: true` annotation. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Karpenter, EKS Best Practices" + kyverno/kubernetesVersion: "1.23" + kyverno/subject: "Pod" +digest: bf608d4be5190ec39a1a94ba7931d3cfd2cca758fb30215c74c093fcb8a42dfb diff --git a/karpenter-mpol/add-karpenter-donot-evict/artifacthub-pkg.yml b/karpenter-mpol/add-karpenter-donot-evict/artifacthub-pkg.yml deleted file mode 100644 index a4e70c31c..000000000 --- a/karpenter-mpol/add-karpenter-donot-evict/artifacthub-pkg.yml +++ /dev/null @@ -1,23 +0,0 @@ -name: add-karpenter-donot-evict -version: 1.0.0 -displayName: Add Karpenter Do Not Evict -createdAt: "2023-04-10T20:11:12.000Z" -description: >- - If a Pod exists with the annotation `karpenter.sh/do-not-evict: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-evict: true` annotation. -install: |- - ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/karpenter-mpol/add-karpenter-donot-evict/add-karpenter-donot-evict.yaml - ``` -keywords: - - kyverno - - Karpenter - - EKS Best Practices -readme: | - If a Pod exists with the annotation `karpenter.sh/do-not-evict: true` on a Node, and a request is made to delete the Node, Karpenter will not drain any Pods from that Node or otherwise try to delete the Node. This is useful for Pods that should run uninterrupted to completion. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the `karpenter.sh/do-not-evict: true` annotation. - - Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ -annotations: - kyverno/category: "Karpenter, EKS Best Practices" - kyverno/kubernetesVersion: "1.23" - kyverno/subject: "Pod" -digest: f5fc20488f075315c8273d735a18347cb9920e9cdf44f690d86d6101f17b9856