diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
index 051c03ba44..79873fcefe 100644
--- a/.github/workflows/helm-release.yaml
+++ b/.github/workflows/helm-release.yaml
@@ -2,7 +2,8 @@ name: helm-release
on:
push:
tags:
- - 'helm-chart-v*'
+ - 'kyverno-chart-v*'
+ - 'kyverno-policies-chart-v*'
permissions:
contents: read
@@ -43,8 +44,22 @@ jobs:
with:
version: v3.4.1
+ - name: Set version
+ run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+ - name: Create charts tmp directory
+ run: |
+ mkdir charts-tmp
+ if [[ "$RELEASE_VERSION" = "kyverno-policies-chart-v"* ]]; then
+ cp -a charts/kyverno-policies charts-tmp/kyverno-policies
+ fi
+ if [[ "$RELEASE_VERSION" = "kyverno-chart-v"* ]]; then
+ cp -a charts/kyverno charts-tmp/kyverno
+ fi
+
- name: Run chart-releaser
uses: stefanprodan/helm-gh-pages@b43a8719cc63fdb3aa943cc57359ab19118eab3f #v1.5.0
with:
token: "${{ secrets.GITHUB_TOKEN }}"
linting: off
+ charts_dir: charts-tmp
diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
index a64f66984d..d2dcd56a92 100644
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
type: application
name: kyverno-policies
-version: v2.3.2
+version: v2.3.4
appVersion: v1.6.2
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies
@@ -25,5 +25,3 @@ annotations:
artifacthub.io/changes: |
- kind: added
description: Support for artifacthub.io/changes annotation
- - kind: added
- description: Add policyPreconditions value to allow policies and rules to have preconditions added
diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
index d7113e8555..bbf7ce459b 100644
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies
-  
+  
## About
@@ -89,5 +89,15 @@ Kubernetes: `>=1.16.0-0`
| ---- | ------ | --- |
| Nirmata | | https://kyverno.io/ |
+## Changes
+
+### v2.3.4
+
+* Do not evaluate `foreach` policies on DELETE
+
+### v2.3.3
+
+* Add policyPreconditions value to allow policies and rules to have preconditions added
+
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.6.0](https://github.com/norwoodj/helm-docs/releases/v1.6.0)
diff --git a/charts/kyverno-policies/README.md.gotmpl b/charts/kyverno-policies/README.md.gotmpl
index d3529f1eb1..59c5469140 100644
--- a/charts/kyverno-policies/README.md.gotmpl
+++ b/charts/kyverno-policies/README.md.gotmpl
@@ -67,4 +67,14 @@ The command removes all the Kubernetes components associated with the chart and
{{ template "chart.maintainersSection" . }}
+## Changes
+
+### v2.3.4
+
+* Do not evaluate `foreach` policies on DELETE
+
+### v2.3.3
+
+* Add policyPreconditions value to allow policies and rules to have preconditions added
+
{{ template "helm-docs.versionFooter" . }}
diff --git a/charts/kyverno-policies/ci/test-preconditions.yaml b/charts/kyverno-policies/ci/test-preconditions-values.yaml
similarity index 72%
rename from charts/kyverno-policies/ci/test-preconditions.yaml
rename to charts/kyverno-policies/ci/test-preconditions-values.yaml
index 082d7c8fac..df4e8e9d1f 100644
--- a/charts/kyverno-policies/ci/test-preconditions.yaml
+++ b/charts/kyverno-policies/ci/test-preconditions-values.yaml
@@ -3,12 +3,17 @@ includeOtherPolicies:
- require-non-root-groups
policyPreconditions:
require-run-as-non-root-user:
+ all:
+ - key: "{{ request.object.metadata.name }}"
+ operator: NotEquals
+ value: "dcgm-exporter*"
+ require-drop-all:
any:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"
adding-capabilities-strict:
- any:
+ all:
- key: "{{ request.object.metadata.name }}"
operator: NotEquals
value: "dcgm-exporter*"
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index 39e13a4635..d62d0b0d13 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -37,7 +37,15 @@ spec:
{{- end }}
{{- with merge (index .Values "policyPreconditions" "require-drop-all") (index .Values "policyPreconditions" $name) }}
preconditions:
- {{- toYaml . | nindent 8 }}
+ {{- if .all }}
+ all:
+ - key: "{{`{{ request.operation }}`}}"
+ operator: NotEquals
+ value: DELETE
+ {{- toYaml .all | nindent 8 }}
+ {{- else }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- end }}
validate:
message: >-
@@ -62,7 +70,15 @@ spec:
{{- end }}
{{- with merge (index .Values "policyPreconditions" "adding-capabilities-strict") (index .Values "policyPreconditions" $name) }}
preconditions:
- {{- toYaml . | nindent 8 }}
+ {{- if .all }}
+ all:
+ - key: "{{`{{ request.operation }}`}}"
+ operator: NotEquals
+ value: DELETE
+ {{- toYaml .all | nindent 8 }}
+ {{- else }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
{{- end }}
validate:
message: >-
diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml
index c778ad63c1..4ae3d291e3 100644
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@@ -53,16 +53,21 @@ policyExclude: {}
policyPreconditions: {}
# # Exclude resources from individual policies
# require-run-as-non-root-user:
- # any:
+ # all:
# - key: "{{ request.object.metadata.name }}"
# operator: NotEquals
# value: "dcgm-exporter*"
# # Policies with multiple rules can have individual rules excluded
+ # require-drop-all:
+ # any:
+ # - key: "{{ request.object.metadata.name }}"
+ # operator: NotEquals
+ # value: "dcgm-exporter*"
# adding-capabilities-strict:
- # any:
- # - key: "{{ request.object.metadata.name }}"
- # operator: NotEquals
- # value: "dcgm-exporter*"
+ # all:
+ # - key: "{{ request.object.metadata.name }}"
+ # operator: NotEquals
+ # value: "dcgm-exporter*"
# -- Name override.
nameOverride: