feat(vpol): Add Best Practices ValidatingPolicy conversions#1426
Open
AIWithShrey wants to merge 8 commits intokyverno:mainfrom
Open
feat(vpol): Add Best Practices ValidatingPolicy conversions#1426AIWithShrey wants to merge 8 commits intokyverno:mainfrom
AIWithShrey wants to merge 8 commits intokyverno:mainfrom
Conversation
Add 5 ValidatingPolicy conversions from the Best Practices category: - disallow-cri-sock-mount: Prevents container socket mounts - disallow-default-namespace: Prevents use of default namespace - disallow-helm-tiller: Prevents Helm Tiller images - disallow-latest-tag: Prevents :latest tag and missing tags - require-drop-cap-net-raw: Requires dropping CAP_NET_RAW All policies include: - CEL-based ValidatingPolicy implementation - Chainsaw tests with good/bad test cases - artifacthub-pkg.yml for Artifact Hub integration Tested and validated on kind-kyverno cluster. Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
Add additional ValidatingPolicy conversions: - block-bare-pods: Prevent bare pods without ownerReferences - protect-node-taints: Block unauthorized Node taint modifications - require-corp-version-label: Require semver version label Note: memory-requests-equal-limits and prevent-cr8escape already exist in the repo - skipped to avoid overwriting. All policies include Chainsaw tests and Artifact Hub metadata. Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
Removed duplicates: - block-bare-pods (same as upstream prevent-bare-pods) - require-corp-version-label (same as upstream metadata-match-regex) Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
Create new best-practices-vpol/ folder to follow upstream convention: - best-practices/ for ClusterPolicy - best-practices-cel/ for CEL ClusterPolicy - best-practices-gpol/ for GeneratingPolicy - best-practices-mpol/ for MutatingPolicy - best-practices-vpol/ for ValidatingPolicy (NEW) Moved 5 policies from other-vpol/ to best-practices-vpol/: - disallow-cri-sock-mount - disallow-default-namespace - disallow-helm-tiller - disallow-latest-tag - require-drop-cap-net-raw protect-node-taints remains in other-vpol/ (Security category) Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
Generated using the same approach as .hack/update-artifacthub-pkg.sh: - digest: SHA256 hash of the policy YAML file - createdAt: UTC timestamp These fields are required for Artifact Hub integration. Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
AIWithShrey
force-pushed
the
add-best-practices-vpol
branch
from
3d89fcc to
3c112d8
Compare
Update all ValidatingPolicy resources and Chainsaw tests to use policies.kyverno.io/v1 as v1alpha1 will be removed in the next Kyverno OSS release. Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
realshuting
previously approved these changes
Feb 3, 2026
Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
auto-merge was automatically disabled
February 3, 2026 13:38
Head branch was pushed to by a user without write access
…test By default, Kyverno excludes Nodes from processing. This policy targets Node UPDATE operations, so we need to temporarily enable Node processing in the Kyverno configmap before applying the policy, similar to other Node-related policies like restrict-node-label-creation. Signed-off-by: Shreyas Mocherla <shreyas@shreyasm.com>
AIWithShrey
force-pushed
the
add-best-practices-vpol
branch
from
940241e to
47f88d4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces
best-practices-vpol/- a new folder for ValidatingPolicy versions of Best Practices policies, following the existing naming convention:best-practices/→ ClusterPolicybest-practices-cel/→ CEL ClusterPolicybest-practices-gpol/→ GeneratingPolicybest-practices-mpol/→ MutatingPolicybest-practices-vpol/→ ValidatingPolicy (NEW)Policies Added
best-practices-vpol/ (5 policies)
disallow-cri-sock-mountdisallow-default-namespacedisallow-helm-tillerdisallow-latest-tag:latesttag and missing image tagsrequire-drop-cap-net-rawother-vpol/ (1 policy)
protect-node-taintsTesting
All policies have been tested with Chainsaw against a kind cluster with Kyverno installed:
Checklist
.chainsaw-test/with test casesartifacthub-pkg.ymlwith digest and createdAtpolicy-ready.yamlasserts webhook configurationRelated
These are ValidatingPolicy conversions of existing ClusterPolicies from
best-practices/.