diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
index 4a7fefecb6..25fe628d39 100644
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
type: application
name: kyverno-policies
-version: v2.5.3
+version: v2.5.4
appVersion: v1.7.3
icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
description: Kubernetes Pod Security Standards implemented as Kyverno policies
@@ -31,3 +31,5 @@ annotations:
description: Ensure preconditions are present with default values
- kind: added
description: Support for failurePolicy setting in kyverno-policies helm chart
+ - kind: added
+ description: Add posibility to set validationFailureAction by Policy
diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
index d2bf93f62f..8b0387abd1 100644
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@@ -2,7 +2,7 @@
Kubernetes Pod Security Standards implemented as Kyverno policies
-  
+  
## About
@@ -67,8 +67,9 @@ The command removes all the Kubernetes components associated with the chart and
| podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
| podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
| includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
-| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
+| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
+| validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
diff --git a/charts/kyverno-policies/ci/test-values.yaml b/charts/kyverno-policies/ci/test-values.yaml
index a7c69adb5e..99be4e1ca8 100644
--- a/charts/kyverno-policies/ci/test-values.yaml
+++ b/charts/kyverno-policies/ci/test-values.yaml
@@ -1,6 +1,8 @@
podSecurityStandard: restricted
includeOtherPolicies:
- require-non-root-groups
+validationFailureActionByPolicy:
+ require-non-root-groups: enforce
validationFailureActionOverrides:
all:
- action: audit
diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
index 2e6ff8d21f..4feb2746de 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -18,7 +18,11 @@ metadata:
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
index c24e8bbda9..fd4c7e0a15 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@@ -19,7 +19,11 @@ metadata:
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
index fe04cd6327..24e2142ade 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@@ -18,7 +18,11 @@ metadata:
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
index 57511b9aa6..0505efcba7 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@@ -18,7 +18,11 @@ metadata:
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
index 2ce2733cda..b778327b57 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@@ -19,7 +19,11 @@ metadata:
policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
the `hostProcess` field, if present, is set to `false`.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
index 79e13521da..81704fd5b1 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@@ -17,7 +17,11 @@ metadata:
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
index 0d6a298179..6df42e9ef8 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@@ -19,7 +19,11 @@ metadata:
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
index 6c18ad991d..4e4c17882f 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@@ -17,7 +17,11 @@ metadata:
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
index b59b661041..18866db8b4 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@@ -20,7 +20,11 @@ metadata:
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
index faa98d0c4e..e01f954b07 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@@ -19,7 +19,11 @@ metadata:
set to `RuntimeDefault` or `Localhost`.
spec:
background: {{ .Values.background }}
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
index 30786082a8..2ae0519104 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@@ -21,7 +21,11 @@ metadata:
This policy ensures that only those "safe" subsets can be specified in
a Pod.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
index d81de6abea..a7e8c5906e 100644
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@@ -19,7 +19,11 @@ metadata:
greater than zero (i.e., non root). A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index 0fa82a79b3..625e78ffa5 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -19,7 +19,11 @@ metadata:
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
index add547a13d..c9114ef158 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@@ -17,7 +17,11 @@ metadata:
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
index 4b24c184c1..0954f7e7f5 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@@ -17,7 +17,11 @@ metadata:
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
index dcfcfb73eb..e67b2da501 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@@ -18,7 +18,11 @@ metadata:
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
index 8a2670761c..6971a75bd6 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@@ -20,7 +20,11 @@ metadata:
set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
index 857cc88975..dc6d8c28ad 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -20,7 +20,11 @@ metadata:
limits usage of non-core volume types to those defined through PersistentVolumes.
This policy blocks any other type of volume other than those in the allow list.
spec:
+ {{- with index .Values "validationFailureActionByPolicy" $name }}
+ validationFailureAction: {{ toYaml . }}
+ {{- else }}
validationFailureAction: {{ .Values.validationFailureAction }}
+ {{- end }}
{{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }}
validationFailureActionOverrides: {{ toYaml . | nindent 4 }}
{{- end }}
diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml
index bccf2e5eaa..74bfc1df77 100644
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@@ -12,13 +12,20 @@ podSecurityPolicies: []
includeOtherPolicies: []
# - require-non-root-groups
+# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
+# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
+failurePolicy: Fail
+
# -- Validation failure action (`audit`, `enforce`).
# For more info https://kyverno.io/docs/writing-policies/validate.
validationFailureAction: audit
-# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
-# For more info: https://kyverno.io/docs/writing-policies/policy-settings/
-failurePolicy: Fail
+# -- Define validationFailureActionByPolicy for specific policies.
+# Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
+validationFailureActionByPolicy: {}
+# disallow-capabilities-strict: enforce
+# disallow-host-path: enforce
+# disallow-host-ports: enforce
# -- Define validationFailureActionOverrides for specific policies.
# The overrides for `all` will apply to all policies.