Changing policyType to podSecurityStandard

Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-01-24 14:05:50 +05:30 · 2021-01-24 14:05:50 +05:30 · 5d7d7157ad
commit 5d7d7157ad
parent bb9e73a316
16 changed files with 18 additions and 17 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -99,7 +99,7 @@ Parameter | Description | Default
 `service.type` | type of service | `ClusterIP`
 `tolerations` | list of node taints to tolerate | `[]`
 `securityContext` | security context configuration | `{}`
-
+`podSecurityStandard` | set desired pod security level `privileged`, `default`, `restricted`. Set to `restricted` for maximum security for your cluster. See:  https://kyverno.io/policies/pod-security/ | `default`

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

--- a/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-adding-capabilities.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-namespaces.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-host-path.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-path.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-host-ports.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-privileged-containers.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-proc-mount.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/disallow-selinux.yaml
+++ b/charts/kyverno/templates/policies/default/disallow-selinux.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-apparmor-profiles.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
+++ b/charts/kyverno/templates/policies/default/restrict-sysctls.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "default" }}
+{{- if eq .Values.podSecurityStandard "default" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
+++ b/charts/kyverno/templates/policies/restricted/deny-privilege-escalation.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "restricted" }}
+{{- if eq .Values.podSecurityStandard "restricted" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-non-root-groups.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "restricted" }}
+{{- if eq .Values.podSecurityStandard "restricted" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno/templates/policies/restricted/require-run-as-nonroot.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "restricted" }}
+{{- if eq .Values.podSecurityStandard "restricted" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-seccomp.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "restricted" }}
+{{- if eq .Values.podSecurityStandard "restricted" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno/templates/policies/restricted/restrict-volume-types.yaml
@ -1,4 +1,4 @@
-{{- if eq .Values.policyType "restricted" }}
+{{- if eq .Values.podSecurityStandard "restricted" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -1,8 +1,9 @@
 nameOverride:
 fullnameOverride:
 namespace:
-# Supported- default/restricted
-policyType: default
+# Supported- default/restricted/privileged
+# For more info- https://kyverno.io/policies/pod-security
+podSecurityStandard: default

 rbac:
  create: true