diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 6226d70099..1597ea2251 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -21,4 +21,3 @@ kubeVersion: ">=1.16.0-0" annotations: artifacthub.io/operator: "false" artifacthub.io/prerelease: "false" - diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 0d7a5fe660..a99e154128 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -79,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and | nameOverride | string | `nil` | Name override. | | customLabels | object | `{}` | Additional labels. | | background | bool | `true` | Policies background mode | +| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller | | kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment | ## Source Code diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index 80c8f8ff8f..c93d4601a4 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -64,6 +64,9 @@ spec: operator: NotEquals value: DELETE {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Any capabilities added beyond the allowed list (AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index 0709da5b11..58c33e2218 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -48,6 +48,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Sharing the host namespaces is disallowed. The fields spec.hostNetwork, diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index c4d142682a..5585a0d81c 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -47,6 +47,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset. diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index cb29db0597..cf3bd191a0 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -47,6 +47,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index 1205f4ecae..3f925251d0 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -48,6 +48,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess, diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index b0ce149ef8..10f222bfdc 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -46,6 +46,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index 3d215d0271..c9ebfb2008 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -48,6 +48,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Changing the proc mount from the default is not allowed. The fields diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index d8785a9287..f6045308a4 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -46,6 +46,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Setting the SELinux type is restricted. The fields @@ -83,6 +86,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Setting the SELinux user or role is forbidden. The fields diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index 3db9a943eb..4e261d87a4 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -49,6 +49,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Specifying other AppArmor profiles is disallowed. The annotation diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index a62fdfe666..0798a64578 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -47,6 +47,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Use of custom Seccomp profiles is disallowed. The fields diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index 8e74fa8529..f8a3f54aaa 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -50,6 +50,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Setting additional sysctls above the allowed type is disallowed. diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index 411f3ede00..4e0b74d17f 100644 --- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -48,6 +48,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Running with root group IDs is disallowed. The fields @@ -92,6 +95,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Containers cannot run with a root primary or supplementary GID. The field @@ -111,6 +117,9 @@ spec: exclude: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Containers cannot run with a root primary or supplementary GID. The field diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index 8d1bca940c..ff563f1564 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -65,6 +65,9 @@ spec: operator: NotEquals value: DELETE {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Containers must drop `ALL` capabilities. @@ -107,6 +110,9 @@ spec: operator: NotEquals value: DELETE {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Any capabilities added other than NET_BIND_SERVICE are disallowed. diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index 56148903fa..646cb48a57 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -46,6 +46,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Privilege escalation is disallowed. The fields diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index baeaf07737..7bb165be21 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -46,6 +46,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Running as root is not allowed. The fields spec.securityContext.runAsUser, diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index 5ec363f700..8b1e589519 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -47,6 +47,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index e5138b6af6..28482459bd 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -49,6 +49,9 @@ spec: preconditions: {{- toYaml . | nindent 8 }} {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Use of custom Seccomp profiles is disallowed. The fields diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index 31a9cecb4b..57aae652c7 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -66,6 +66,9 @@ spec: operator: NotEquals value: DELETE {{- end }} + {{- if not (quote .Values.skipBackgroundRequests | empty) }} + skipBackgroundRequests: {{ .Values.skipBackgroundRequests }} + {{- end }} validate: message: >- Only the following types of volumes may be used: configMap, csi, downwardAPI, diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index ad61561af6..ceb9daddb9 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -101,6 +101,9 @@ customLabels: {} # -- Policies background mode background: true +# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller +skipBackgroundRequests: ~ + # -- Kyverno version # The default of "autodetect" will try to determine the currently installed version from the deployment kyvernoVersion: autodetect