diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 107af24979..3c0221594d 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -24,20 +24,6 @@ annotations: # valid kinds are: added, changed, deprecated, removed, fixed and security artifacthub.io/changes: | - kind: added - description: Add possibility to manually set kyvernoVersion and avoid autodetection - - kind: added - description: Support for artifacthub.io/changes annotation + description: Add ability to configure autogen behavior - kind: fixed - description: Fix Kyverno version check when image tag contains registry port number - - kind: fixed - description: Ensure preconditions are present with default values - - kind: added - description: Support for failurePolicy setting in kyverno-policies helm chart - - kind: added - description: Add possibility to set validationFailureAction by Policy - - kind: added - description: Added ability to get additional policies from restricted - - kind: fixed - description: Applied fix in preconditions for background mode - - kind: added - description: Added case insensitivity guarantees to disallow-capabilities-strict + description: Support for customLabels, they were ignored up to now diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 2061c7837d..48ae5e1b3f 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -74,6 +74,7 @@ The command removes all the Kubernetes components associated with the chart and | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | +| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. | | nameOverride | string | `nil` | Name override. | | customLabels | object | `{}` | Additional labels. | | background | bool | `true` | Policies background mode | diff --git a/charts/kyverno-policies/ci/test-autogen-none-values.yaml b/charts/kyverno-policies/ci/test-autogen-none-values.yaml new file mode 100644 index 0000000000..53ecdb411b --- /dev/null +++ b/charts/kyverno-policies/ci/test-autogen-none-values.yaml @@ -0,0 +1,2 @@ +podSecurityStandard: restricted +autogenControllers: none diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index 4feb2746de..9bb70d2da6 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -6,6 +6,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow Capabilities policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -17,6 +20,7 @@ metadata: policies.kyverno.io/subject: Pod policies.kyverno.io/description: >- Adding capabilities beyond those listed in the policy must be disallowed. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index fd4c7e0a15..894beec574 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow Host Namespaces policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -18,6 +21,7 @@ metadata: network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are unset or set to `false`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index 24e2142ade..8793ef3a0b 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow hostPath policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -17,6 +20,7 @@ metadata: HostPath volumes let Pods use host directories and volumes in containers. Using host resources can be used to access shared data or escalate privileges and should not be allowed. This policy ensures no hostPath volumes are in use. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index 0505efcba7..67ec3b9c04 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow hostPorts policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -17,6 +20,7 @@ metadata: Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` field is unset or set to `0`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index b778327b57..8ad2d0c873 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow hostProcess policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -18,6 +21,7 @@ metadata: access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures the `hostProcess` field, if present, is set to `false`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index 81704fd5b1..1d65f0292b 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow Privileged Containers policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -16,6 +19,7 @@ metadata: policies.kyverno.io/description: >- Privileged mode disables most security mechanisms and must not be allowed. This policy ensures Pods do not call for privileged mode. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index 6df42e9ef8..c607738c73 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow procMount policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -18,6 +21,7 @@ metadata: ensures nothing but the default procMount can be specified. Note that in order for users to deviate from the `Default` procMount requires setting a feature gate at the API server. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index 4e4c17882f..89d0209dc1 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow SELinux policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -16,6 +19,7 @@ metadata: policies.kyverno.io/description: >- SELinux options can be used to escalate privileges and should not be allowed. This policy ensures that the `seLinuxOptions` field is undefined. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index 18866db8b4..b58c68771b 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Restrict AppArmor policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -19,6 +22,7 @@ metadata: The default policy should prevent overriding or disabling the policy, or restrict overrides to an allowed set of profiles. This policy ensures Pods do not specify any other AppArmor profiles than `runtime/default` or `localhost/*`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index e01f954b07..99dbcabc32 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Restrict Seccomp policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -17,6 +20,7 @@ metadata: The seccomp profile must not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: background: {{ .Values.background }} {{- with index .Values "validationFailureActionByPolicy" $name }} diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index 2ae0519104..7e3da6ad56 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Restrict sysctls policies.kyverno.io/category: Pod Security Standards (Baseline) {{- if .Values.podSecuritySeverity }} @@ -20,6 +23,7 @@ metadata: Pod, and it is isolated from other Pods or processes on the same Node. This policy ensures that only those "safe" subsets can be specified in a Pod. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index a7e8c5906e..759fab90af 100644 --- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/category: Sample {{- if .Values.podSecuritySeverity }} policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }} @@ -18,6 +21,7 @@ metadata: This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number greater than zero (i.e., non root). A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index f3810516f3..9e84cfe75e 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -6,6 +6,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow Capabilities (Strict) policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -18,6 +21,7 @@ metadata: policies.kyverno.io/description: >- Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition, all containers must explicitly drop `ALL` capabilities. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index c9114ef158..687a2eb45f 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Disallow Privilege Escalation policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -16,6 +19,7 @@ metadata: policies.kyverno.io/description: >- Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to `false`. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index 0954f7e7f5..f40877350e 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Require Run As Non-Root User policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -16,6 +19,7 @@ metadata: policies.kyverno.io/description: >- Containers must be required to run as non-root users. This policy ensures `runAsUser` is either unset or set to a number greater than zero. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index e67b2da501..406689f32e 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Require runAsNonRoot policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -17,6 +20,7 @@ metadata: Containers must be required to run as non-root users. This policy ensures `runAsNonRoot` is set to `true`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index 6971a75bd6..af8888fe56 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -5,6 +5,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Restrict Seccomp (Strict) policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -19,6 +22,7 @@ metadata: requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index dc6d8c28ad..28180a7f93 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -6,6 +6,9 @@ kind: ClusterPolicy metadata: name: {{ $name }} annotations: + {{- with .Values.autogenControllers }} + pod-policies.kyverno.io/autogen-controllers: {{ . }} + {{- end }} policies.kyverno.io/title: Restrict Volume Types policies.kyverno.io/category: Pod Security Standards (Restricted) {{- if .Values.podSecuritySeverity }} @@ -19,6 +22,7 @@ metadata: In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks any other type of volume other than those in the allow list. + labels: {{ include "kyverno-policies.labels" . | nindent 4 }} spec: {{- with index .Values "validationFailureActionByPolicy" $name }} validationFailureAction: {{ toYaml . }} diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index da7a2739c9..4fe5dc7fd6 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -84,6 +84,10 @@ policyPreconditions: {} # operator: NotEquals # value: "dcgm-exporter*" +# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) +# For more info https://kyverno.io/docs/writing-policies/autogen/. +autogenControllers: "" + # -- Name override. nameOverride: