mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

Cherry-pick release-1.6 Helm changes (#3689)

Browse source 
* Support releasing kyverno and kyverno-policies chart separately (#3672)

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Add DELETE precondition back (#3657)

* Add DELETE precondition back

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

* Add another example and test for 'any'

Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>

Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
treydock 2022-04-26 23:52:45 -04:00 committed by GitHub
parent 029b69fa6b
commit 0ae671ca7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 72 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.github/workflows/helm-release.yaml vendored
View file

@ -2,7 +2,8 @@ name: helm-release
on:
push:
tags:
- 'helm-chart-v*'
- 'kyverno-chart-v*'
- 'kyverno-policies-chart-v*'
permissions:
contents: read
@ -43,8 +44,22 @@ jobs:
with:
version: v3.4.1
- name: Set version
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Create charts tmp directory
run: |
mkdir charts-tmp
if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-v"* ]]; then
cp -a charts/kyverno-policies charts-tmp/kyverno-policies
fi
if [[ "$RELEASE_VERSION" = "kyverno-chart-v"* ]]; then
cp -a charts/kyverno charts-tmp/kyverno
fi
- name: Run chart-releaser
uses: stefanprodan/helm-gh-pages@b43a8719cc63fdb3aa943cc57359ab19118eab3f #v1.5.0
with:
token: "${{ secrets.GITHUB_TOKEN }}"
linting: off
charts_dir: charts-tmp

4
charts/kyverno-policies/Chart.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v2
type: application
name: kyverno-policies
version: v2.3.2
version: v2.3.4
appVersion: v1.6.2
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies
@ -25,5 +25,3 @@ annotations:
artifacthub.io/changes: |
- kind: added
description: Support for artifacthub.io/changes annotation
- kind: added
description: Add policyPreconditions value to allow policies and rules to have preconditions added

12
charts/kyverno-policies/README.md
View file

@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies
![Version: v2.3.2](https://img.shields.io/badge/Version-v2.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.2](https://img.shields.io/badge/AppVersion-v1.6.2-informational?style=flat-square)
![Version: v2.3.4](https://img.shields.io/badge/Version-v2.3.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.6.2](https://img.shields.io/badge/AppVersion-v1.6.2-informational?style=flat-square)
## About
@ -89,5 +89,15 @@ Kubernetes: `>=1.16.0-0`
| ---- | ------ | --- |
| Nirmata | | https://kyverno.io/ |
## Changes
### v2.3.4
* Do not evaluate `foreach` policies on DELETE
### v2.3.3
* Add policyPreconditions value to allow policies and rules to have preconditions added
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0)

10
charts/kyverno-policies/README.md.gotmpl
View file

@ -67,4 +67,14 @@ The command removes all the Kubernetes components associated with the chart and
{{ template "chart.maintainersSection" . }}
## Changes
### v2.3.4
* Do not evaluate `foreach` policies on DELETE
### v2.3.3
* Add policyPreconditions value to allow policies and rules to have preconditions added
{{ template "helm-docs.versionFooter" . }}

7
charts/kyverno-policies/ci/test-preconditions.yaml → charts/kyverno-policies/ci/test-preconditions-values.yaml
View file

@ -3,12 +3,17 @@ includeOtherPolicies:
- require-non-root-groups
policyPreconditions:
require-run-as-non-root-user:
all:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"
require-drop-all:
any:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"
adding-capabilities-strict:
any:
all:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"

20
charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
View file

@ -37,7 +37,15 @@ spec:
{{- end }}
{{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- if .all }}
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
{{- toYaml .all | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
validate:
message: >-
@ -62,7 +70,15 @@ spec:
{{- end }}
{{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
preconditions:
{{- toYaml . | nindent 8 }}
{{- if .all }}
all:
- key: "{{`{{ request.operation }}`}}"
operator: NotEquals
value: DELETE
{{- toYaml .all | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
validate:
message: >-

15
charts/kyverno-policies/values.yaml
View file

@ -53,16 +53,21 @@ policyExclude: {}
policyPreconditions: {}
# # Exclude resources from individual policies
# require-run-as-non-root-user:
# any:
# all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# # Policies with multiple rules can have individual rules excluded
# require-drop-all:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# adding-capabilities-strict:
# any:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# -- Name override.
nameOverride: