kyverno/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml

{{- $name := "restrict-apparmor-profiles" }}
{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: {{ $name }}
  annotations:
    {{- with .Values.autogenControllers }}
    pod-policies.kyverno.io/autogen-controllers: {{ . }}
    {{- end }}
    policies.kyverno.io/title: Restrict AppArmor
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
    {{- end }}
    policies.kyverno.io/subject: Pod, Annotation
    policies.kyverno.io/minversion: 1.3.0
    kyverno.io/kyverno-version: 1.6.0
    kyverno.io/kubernetes-version: "1.22-1.23"
    policies.kyverno.io/description: >-
      On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
      The default policy should prevent overriding or disabling the policy, or restrict
      overrides to an allowed set of profiles. This policy ensures Pods do not
      specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
  {{- else }}
  validationFailureAction: {{ .Values.validationFailureAction }}
  {{- end }}
  {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
  validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
  {{- end }}
  background: {{ .Values.background }}
  failurePolicy: {{ .Values.failurePolicy }}
  rules:
    - name: app-armor
      match:
        any:
        - resources:
            kinds:
              - Pod
      {{- with index .Values "policyExclude" $name }}
      exclude:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with index .Values "policyPreconditions" $name }}
      preconditions:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      validate:
        message: >-
          Specifying other AppArmor profiles is disallowed. The annotation
          `container.apparmor.security.beta.kubernetes.io` if defined
          must not be set to anything other than `runtime/default` or `localhost/*`.
        pattern:
          =(metadata):
            =(annotations):
              =(container.apparmor.security.beta.kubernetes.io/*): "runtime/default | localhost/*"
{{- end }}
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`{{- $name := "restrict-apparmor-profiles" }}`
			`{{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}`
			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`name: {{ $name }}`
			`annotations:`
feat(policies chart): Add ability to set autogen behavior (#5517) * feat(kyverno-policies): Add ability to set autogen behavior Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix(kyverno-policies): Fix missing labels Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * chore: Apply changes from code review - Update changelog annotations - Add test Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * Update charts/kyverno-policies/Chart.yaml Signed-off-by: shuting <shutting06@gmail.com> * fix: Move test-autogen-none.yaml -> test-autogen-none-values.yaml Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix: Run make codegen-helm-all Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> 2022-12-01 11:05:56 +01:00			`{{- with .Values.autogenControllers }}`
			`pod-policies.kyverno.io/autogen-controllers: {{ . }}`
			`{{- end }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`policies.kyverno.io/title: Restrict AppArmor`
			`policies.kyverno.io/category: Pod Security Standards (Baseline)`
			`{{- if .Values.podSecuritySeverity }}`
			`policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}`
			`{{- end }}`
			`policies.kyverno.io/subject: Pod, Annotation`
			`policies.kyverno.io/minversion: 1.3.0`
			`kyverno.io/kyverno-version: 1.6.0`
			`kyverno.io/kubernetes-version: "1.22-1.23"`
			`policies.kyverno.io/description: >-`
			`On supported hosts, the 'runtime/default' AppArmor profile is applied by default.`
			`The default policy should prevent overriding or disabling the policy, or restrict`
			`overrides to an allowed set of profiles. This policy ensures Pods do not`
			specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
feat(policies chart): Add ability to set autogen behavior (#5517) * feat(kyverno-policies): Add ability to set autogen behavior Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix(kyverno-policies): Fix missing labels Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * chore: Apply changes from code review - Update changelog annotations - Add test Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * Update charts/kyverno-policies/Chart.yaml Signed-off-by: shuting <shutting06@gmail.com> * fix: Move test-autogen-none.yaml -> test-autogen-none-values.yaml Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix: Run make codegen-helm-all Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com> 2022-12-01 11:05:56 +01:00			`labels: {{ include "kyverno-policies.labels" . \| nindent 4 }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`spec:`
[Feature] Add posibility to set validationFailureAction by Policy (#4400) * Implement validationFailureActionByPolicy * Update README.md * Add artifacthub.io/changes entry * Add Test Case Signed-off-by: dschunack <dschunack@web.de> 2022-08-25 17:29:20 +02:00			`{{- with index .Values "validationFailureActionByPolicy" $name }}`
			`validationFailureAction: {{ toYaml . }}`
			`{{- else }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`validationFailureAction: {{ .Values.validationFailureAction }}`
[Feature] Add posibility to set validationFailureAction by Policy (#4400) * Implement validationFailureActionByPolicy * Update README.md * Add artifacthub.io/changes entry * Add Test Case Signed-off-by: dschunack <dschunack@web.de> 2022-08-25 17:29:20 +02:00			`{{- end }}`
Allow setting validationFailureActionOverrides for policies (#3201) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2022-02-09 03:24:35 -05:00			`{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}`
			`validationFailureActionOverrides: {{ toYaml . \| nindent 4 }}`
			`{{- end }}`
feat: support background mode configuration in kyverno-policies chart (#3299) Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> 2022-02-24 17:31:51 +01:00			`background: {{ .Values.background }}`
support failurePolicy in kyverno-policies helm chart (#4323) * support failurePolicy in kyverno-policies helm chart Signed-off-by: Tom Stewart <thomas.stewart@arcadia.com> 2022-08-09 17:12:27 -04:00			`failurePolicy: {{ .Values.failurePolicy }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`rules:`
			`- name: app-armor`
			`match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Pod`
			`{{- with index .Values "policyExclude" $name }}`
			`exclude:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
Allow kyverno-policies to have preconditions defined (#3606) * Allow kyverno-policies to have preconditions defined Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix docs Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> 2022-04-18 13:59:47 -04:00			`{{- with index .Values "policyPreconditions" $name }}`
			`preconditions:`
			`{{- toYaml . \| nindent 8 }}`
			`{{- end }}`
Update kyverno-policies chart with latest pod-security policies (#3126) * Update kyverno-policies chart with latest pod-security policies Fixes #3063 Fixes #2277 Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README to have better example Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use chart testing during e2e to test against ci values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix e2e tests for Helm chart Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Fix Kyverno chart testing to actually test values, and fix networkpolicy template Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update README for exclusion Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Allow adding 'other' policies via Helm Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update Chart.yaml for kyverno-policies Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Bump minimum Kubernetes version in charts Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Update kyverno-policies chart readme Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use version that should catch all pre-releases (part 2) Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> * Use same logic to get git tag by using Makefile target for updating Helm values Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com> 2022-02-04 01:47:36 -05:00			`validate:`
			`message: >-`
			`Specifying other AppArmor profiles is disallowed. The annotation`
			`container.apparmor.security.beta.kubernetes.io` if defined
			must not be set to anything other than `runtime/default` or `localhost/*`.
			`pattern:`
			`=(metadata):`
			`=(annotations):`
			`=(container.apparmor.security.beta.kubernetes.io/): "runtime/default \| localhost/"`
			`{{- end }}`