mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
fix: kubernetes and kyverno version annotations in kyverno-policies helm chart to match installed kyverno release and supported versions from Chart.yaml with override option (kyverno#1165) (#11258)
Signed-off-by: kiyanser <sergey.kiyan@strabag.com> Co-authored-by: kiyanser <sergey.kiyan@strabag.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Sergey Kiyan
GitHub
parent
8dfd529661
commit
338d2ad473
20 changed files with 41 additions and 36 deletions
|
|
@ -92,6 +92,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| background | bool | `true` | Policies background mode |
|
||||
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
|
||||
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
|
||||
| kubeVersionOverride | string | `nil` | Kubernetes version override Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes. |
|
||||
|
||||
## Source Code
|
||||
|
||||
|
|
|
|||
|
|
@ -14,9 +14,9 @@ metadata:
|
|||
{{- if .Values.podSecuritySeverity }}
|
||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Adding capabilities beyond those listed in the policy must be disallowed.
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ metadata:
|
|||
{{- if .Values.podSecuritySeverity }}
|
||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod,Volume
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
HostPath volumes let Pods use host directories and volumes in containers.
|
||||
Using host resources can be used to access shared data or escalate privileges
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Access to host ports allows potential snooping of network traffic and should not be
|
||||
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Windows pods offer the ability to run HostProcess containers which enables privileged
|
||||
access to the Windows node. Privileged access to the host is disallowed in the baseline
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Privileged mode disables most security mechanisms and must not be allowed. This policy
|
||||
ensures Pods do not call for privileged mode.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
The default /proc masks are set up to reduce attack surface and should be required. This policy
|
||||
ensures nothing but the default procMount can be specified. Note that in order for users
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
SELinux options can be used to escalate privileges and should not be allowed. This policy
|
||||
ensures that the `seLinuxOptions` field is undefined.
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ metadata:
|
|||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod, Annotation
|
||||
policies.kyverno.io/minversion: 1.3.0
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
|
||||
The default policy should prevent overriding or disabling the policy, or restrict
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
The seccomp profile must not be explicitly set to Unconfined. This policy,
|
||||
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Sysctls can disable security mechanisms or affect all containers on a
|
||||
host, and should be disallowed except for an allowed "safe" subset. A
|
||||
|
|
|
|||
|
|
@ -13,8 +13,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/minversion: 1.3.6
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Containers should be forbidden from running with a root primary or supplementary GID.
|
||||
|
|
|
|||
|
|
@ -15,8 +15,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/subject: Pod
|
||||
policies.kyverno.io/description: >-
|
||||
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
|
||||
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Containers must be required to run as non-root users. This policy ensures
|
||||
`runAsUser` is either unset or set to a number greater than zero.
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
Containers must be required to run as non-root users. This policy ensures
|
||||
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
|
||||
|
|
|
|||
|
|
@ -14,8 +14,8 @@ metadata:
|
|||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
policies.kyverno.io/description: >-
|
||||
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
|
||||
but additionally must also not allow an unset value. This policy,
|
||||
|
|
|
|||
|
|
@ -16,8 +16,8 @@ metadata:
|
|||
{{- end }}
|
||||
policies.kyverno.io/subject: Pod,Volume
|
||||
policies.kyverno.io/minversion: 1.6.0
|
||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
||||
kyverno.io/kyverno-version: 1.6.0
|
||||
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||
policies.kyverno.io/description: >-
|
||||
In addition to restricting HostPath volumes, the restricted pod security profile
|
||||
limits usage of non-core volume types to those defined through PersistentVolumes.
|
||||
|
|
|
|||
|
|
@ -114,3 +114,7 @@ skipBackgroundRequests: ~
|
|||
# -- Kyverno version
|
||||
# The default of "autodetect" will try to determine the currently installed version from the deployment
|
||||
kyvernoVersion: autodetect
|
||||
|
||||
# -- Kubernetes version override
|
||||
# Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes.
|
||||
kubeVersionOverride:
|
||||
|
|
|
|||
Loading…
Reference in a new issue