feat(policies chart): Add ability to set autogen behavior (#5517)

* feat(kyverno-policies): Add ability to set autogen behavior Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix(kyverno-policies): Fix missing labels Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * chore: Apply changes from code review - Update changelog annotations - Add test Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * Update charts/kyverno-policies/Chart.yaml Signed-off-by: shuting <shutting06@gmail.com> * fix: Move test-autogen-none.yaml -> test-autogen-none-values.yaml Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> * fix: Run make codegen-helm-all Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com> Signed-off-by: shuting <shutting06@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: shuting <shutting06@gmail.com>
2025-03-28 10:28:36 +00:00 · 2022-12-01 11:05:56 +01:00 · 2022-12-01 11:05:56 +01:00 · 91adf68602
commit 91adf68602
parent db9faf5835
22 changed files with 81 additions and 16 deletions
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@ -24,20 +24,6 @@ annotations:
  # valid kinds are: added, changed, deprecated, removed, fixed and security
  artifacthub.io/changes: |
    - kind: added
-      description: Add possibility to manually set kyvernoVersion and avoid autodetection
-    - kind: added
-      description: Support for artifacthub.io/changes annotation
+      description: Add ability to configure autogen behavior
    - kind: fixed
-      description: Fix Kyverno version check when image tag contains registry port number
-    - kind: fixed
-      description: Ensure preconditions are present with default values
-    - kind: added
-      description: Support for failurePolicy setting in kyverno-policies helm chart
-    - kind: added
-      description: Add possibility to set validationFailureAction by Policy
-    - kind: added
-      description: Added ability to get additional policies from restricted
-    - kind: fixed
-      description: Applied fix in preconditions for background mode
-    - kind: added
-      description: Added case insensitivity guarantees to disallow-capabilities-strict
+      description: Support for customLabels, they were ignored up to now
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@ -74,6 +74,7 @@ The command removes all the Kubernetes components associated with the chart and
 | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
 | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
 | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
+| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |
 | nameOverride | string | `nil` | Name override. |
 | customLabels | object | `{}` | Additional labels. |
 | background | bool | `true` | Policies background mode |
--- a/charts/kyverno-policies/ci/test-autogen-none-values.yaml
+++ b/charts/kyverno-policies/ci/test-autogen-none-values.yaml
@ -0,0 +1,2 @@
+podSecurityStandard: restricted
+autogenControllers: none
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@ -6,6 +6,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow Capabilities
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -17,6 +20,7 @@ metadata:
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Adding capabilities beyond those listed in the policy must be disallowed.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow Host Namespaces
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -18,6 +21,7 @@ metadata:
      network namespace) allow access to shared information and can be used to elevate
      privileges. Pods should not be allowed access to host namespaces. This policy ensures
      fields which make use of these host namespaces are unset or set to `false`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow hostPath
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -17,6 +20,7 @@ metadata:
      HostPath volumes let Pods use host directories and volumes in containers.
      Using host resources can be used to access shared data or escalate privileges
      and should not be allowed. This policy ensures no hostPath volumes are in use.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow hostPorts
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -17,6 +20,7 @@ metadata:
      Access to host ports allows potential snooping of network traffic and should not be
      allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
      field is unset or set to `0`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow hostProcess
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -18,6 +21,7 @@ metadata:
      access to the Windows node. Privileged access to the host is disallowed in the baseline
      policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
      the `hostProcess` field, if present, is set to `false`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow Privileged Containers
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -16,6 +19,7 @@ metadata:
    policies.kyverno.io/description: >-
      Privileged mode disables most security mechanisms and must not be allowed. This policy
      ensures Pods do not call for privileged mode.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow procMount
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -18,6 +21,7 @@ metadata:
      ensures nothing but the default procMount can be specified. Note that in order for users
      to deviate from the `Default` procMount requires setting a feature gate at the API
      server.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow SELinux
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -16,6 +19,7 @@ metadata:
    policies.kyverno.io/description: >-
      SELinux options can be used to escalate privileges and should not be allowed. This policy
      ensures that the `seLinuxOptions` field is undefined.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Restrict AppArmor
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -19,6 +22,7 @@ metadata:
      The default policy should prevent overriding or disabling the policy, or restrict
      overrides to an allowed set of profiles. This policy ensures Pods do not
      specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Restrict Seccomp
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -17,6 +20,7 @@ metadata:
      The seccomp profile must not be explicitly set to Unconfined. This policy,
      requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
      set to `RuntimeDefault` or `Localhost`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  background: {{ .Values.background }}
  {{- with index .Values "validationFailureActionByPolicy" $name }}
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Restrict sysctls
    policies.kyverno.io/category: Pod Security Standards (Baseline)
    {{- if .Values.podSecuritySeverity }}
@ -20,6 +23,7 @@ metadata:
      Pod, and it is isolated from other Pods or processes on the same Node.
      This policy ensures that only those "safe" subsets can be specified in
      a Pod.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/category: Sample
    {{- if .Values.podSecuritySeverity }}
    policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
@ -18,6 +21,7 @@ metadata:
      This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
      greater than zero (i.e., non root). A known issue prevents a policy such as this
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@ -6,6 +6,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow Capabilities (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -18,6 +21,7 @@ metadata:
    policies.kyverno.io/description: >-
      Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
      all containers must explicitly drop `ALL` capabilities.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Disallow Privilege Escalation
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -16,6 +19,7 @@ metadata:
    policies.kyverno.io/description: >-
      Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
      This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Require Run As Non-Root User
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -16,6 +19,7 @@ metadata:
    policies.kyverno.io/description: >-
      Containers must be required to run as non-root users. This policy ensures
      `runAsUser` is either unset or set to a number greater than zero.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Require runAsNonRoot
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -17,6 +20,7 @@ metadata:
      Containers must be required to run as non-root users. This policy ensures
      `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@ -5,6 +5,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Restrict Seccomp (Strict)
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -19,6 +22,7 @@ metadata:
      requiring Kubernetes v1.19 or later, ensures that seccomp is
      set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
      using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@ -6,6 +6,9 @@ kind: ClusterPolicy
 metadata:
  name: {{ $name }}
  annotations:
+    {{- with .Values.autogenControllers }}
+    pod-policies.kyverno.io/autogen-controllers: {{ . }}
+    {{- end }}
    policies.kyverno.io/title: Restrict Volume Types
    policies.kyverno.io/category: Pod Security Standards (Restricted)
    {{- if .Values.podSecuritySeverity }}
@ -19,6 +22,7 @@ metadata:
      In addition to restricting HostPath volumes, the restricted pod security profile
      limits usage of non-core volume types to those defined through PersistentVolumes.
      This policy blocks any other type of volume other than those in the allow list.
+  labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
 spec:
  {{- with index .Values "validationFailureActionByPolicy" $name }}
  validationFailureAction: {{ toYaml . }}
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@ -84,6 +84,10 @@ policyPreconditions: {}
  #     operator: NotEquals
  #     value: "dcgm-exporter*"

+# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`)
+# For more info https://kyverno.io/docs/writing-policies/autogen/.
+autogenControllers: ""
+
 # -- Name override.
 nameOverride: