mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
fix: kubernetes and kyverno version annotations in kyverno-policies helm chart to match installed kyverno release and supported versions from Chart.yaml with override option (kyverno#1165) (#11258)
Signed-off-by: kiyanser <sergey.kiyan@strabag.com> Co-authored-by: kiyanser <sergey.kiyan@strabag.com> Co-authored-by: shuting <shuting@nirmata.com>
This commit is contained in:
Sergey Kiyan
GitHub
parent
8dfd529661
commit
338d2ad473
20 changed files with 41 additions and 36 deletions
|
|
@ -92,6 +92,7 @@ The command removes all the Kubernetes components associated with the chart and
|
||||||
| background | bool | `true` | Policies background mode |
|
| background | bool | `true` | Policies background mode |
|
||||||
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
|
| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
|
||||||
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
|
| kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
|
||||||
|
| kubeVersionOverride | string | `nil` | Kubernetes version override Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes. |
|
||||||
|
|
||||||
## Source Code
|
## Source Code
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -14,9 +14,9 @@ metadata:
|
||||||
{{- if .Values.podSecuritySeverity }}
|
{{- if .Values.podSecuritySeverity }}
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
policies.kyverno.io/minversion: 1.6.0
|
policies.kyverno.io/minversion: 1.6.0
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Adding capabilities beyond those listed in the policy must be disallowed.
|
Adding capabilities beyond those listed in the policy must be disallowed.
|
||||||
|
|
|
||||||
|
|
@ -13,8 +13,8 @@ metadata:
|
||||||
{{- if .Values.podSecuritySeverity }}
|
{{- if .Values.podSecuritySeverity }}
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
|
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod,Volume
|
policies.kyverno.io/subject: Pod,Volume
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
HostPath volumes let Pods use host directories and volumes in containers.
|
HostPath volumes let Pods use host directories and volumes in containers.
|
||||||
Using host resources can be used to access shared data or escalate privileges
|
Using host resources can be used to access shared data or escalate privileges
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Access to host ports allows potential snooping of network traffic and should not be
|
Access to host ports allows potential snooping of network traffic and should not be
|
||||||
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
|
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Windows pods offer the ability to run HostProcess containers which enables privileged
|
Windows pods offer the ability to run HostProcess containers which enables privileged
|
||||||
access to the Windows node. Privileged access to the host is disallowed in the baseline
|
access to the Windows node. Privileged access to the host is disallowed in the baseline
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Privileged mode disables most security mechanisms and must not be allowed. This policy
|
Privileged mode disables most security mechanisms and must not be allowed. This policy
|
||||||
ensures Pods do not call for privileged mode.
|
ensures Pods do not call for privileged mode.
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
The default /proc masks are set up to reduce attack surface and should be required. This policy
|
The default /proc masks are set up to reduce attack surface and should be required. This policy
|
||||||
ensures nothing but the default procMount can be specified. Note that in order for users
|
ensures nothing but the default procMount can be specified. Note that in order for users
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
SELinux options can be used to escalate privileges and should not be allowed. This policy
|
SELinux options can be used to escalate privileges and should not be allowed. This policy
|
||||||
ensures that the `seLinuxOptions` field is undefined.
|
ensures that the `seLinuxOptions` field is undefined.
|
||||||
|
|
|
||||||
|
|
@ -15,8 +15,8 @@ metadata:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod, Annotation
|
policies.kyverno.io/subject: Pod, Annotation
|
||||||
policies.kyverno.io/minversion: 1.3.0
|
policies.kyverno.io/minversion: 1.3.0
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
|
On supported hosts, the 'runtime/default' AppArmor profile is applied by default.
|
||||||
The default policy should prevent overriding or disabling the policy, or restrict
|
The default policy should prevent overriding or disabling the policy, or restrict
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
The seccomp profile must not be explicitly set to Unconfined. This policy,
|
The seccomp profile must not be explicitly set to Unconfined. This policy,
|
||||||
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
|
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Sysctls can disable security mechanisms or affect all containers on a
|
Sysctls can disable security mechanisms or affect all containers on a
|
||||||
host, and should be disallowed except for an allowed "safe" subset. A
|
host, and should be disallowed except for an allowed "safe" subset. A
|
||||||
|
|
|
||||||
|
|
@ -13,8 +13,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/minversion: 1.3.6
|
policies.kyverno.io/minversion: 1.3.6
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Containers should be forbidden from running with a root primary or supplementary GID.
|
Containers should be forbidden from running with a root primary or supplementary GID.
|
||||||
|
|
|
||||||
|
|
@ -15,8 +15,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/minversion: 1.6.0
|
policies.kyverno.io/minversion: 1.6.0
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
|
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
|
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
|
||||||
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Containers must be required to run as non-root users. This policy ensures
|
Containers must be required to run as non-root users. This policy ensures
|
||||||
`runAsUser` is either unset or set to a number greater than zero.
|
`runAsUser` is either unset or set to a number greater than zero.
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
Containers must be required to run as non-root users. This policy ensures
|
Containers must be required to run as non-root users. This policy ensures
|
||||||
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
|
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
|
||||||
|
|
|
||||||
|
|
@ -14,8 +14,8 @@ metadata:
|
||||||
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod
|
policies.kyverno.io/subject: Pod
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
|
The seccomp profile in the Restricted group must not be explicitly set to Unconfined
|
||||||
but additionally must also not allow an unset value. This policy,
|
but additionally must also not allow an unset value. This policy,
|
||||||
|
|
|
||||||
|
|
@ -16,8 +16,8 @@ metadata:
|
||||||
{{- end }}
|
{{- end }}
|
||||||
policies.kyverno.io/subject: Pod,Volume
|
policies.kyverno.io/subject: Pod,Volume
|
||||||
policies.kyverno.io/minversion: 1.6.0
|
policies.kyverno.io/minversion: 1.6.0
|
||||||
kyverno.io/kubernetes-version: "1.22-1.23"
|
kyverno.io/kubernetes-version: "{{ default .Chart.KubeVersion .Values.kubeVersionOverride }}"
|
||||||
kyverno.io/kyverno-version: 1.6.0
|
kyverno.io/kyverno-version: {{ default .Chart.AppVersion (include "kyverno-policies.kyvernoVersion" .) }}
|
||||||
policies.kyverno.io/description: >-
|
policies.kyverno.io/description: >-
|
||||||
In addition to restricting HostPath volumes, the restricted pod security profile
|
In addition to restricting HostPath volumes, the restricted pod security profile
|
||||||
limits usage of non-core volume types to those defined through PersistentVolumes.
|
limits usage of non-core volume types to those defined through PersistentVolumes.
|
||||||
|
|
|
||||||
|
|
@ -114,3 +114,7 @@ skipBackgroundRequests: ~
|
||||||
# -- Kyverno version
|
# -- Kyverno version
|
||||||
# The default of "autodetect" will try to determine the currently installed version from the deployment
|
# The default of "autodetect" will try to determine the currently installed version from the deployment
|
||||||
kyvernoVersion: autodetect
|
kyvernoVersion: autodetect
|
||||||
|
|
||||||
|
# -- Kubernetes version override
|
||||||
|
# Override default value of kubeVersion set by release team taken from Chart.yaml with custom value. Ideally range of versions no more than two prior (ex., 1.28-1.31), must be enclosed in quotes.
|
||||||
|
kubeVersionOverride:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue