From 91adf6860201245352bf05420a92c2fd4be0d596 Mon Sep 17 00:00:00 2001
From: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Date: Thu, 1 Dec 2022 11:05:56 +0100
Subject: [PATCH] feat(policies chart): Add ability to set autogen behavior
(#5517)
* feat(kyverno-policies): Add ability to set autogen behavior
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
* fix(kyverno-policies): Fix missing labels
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
* chore: Apply changes from code review
- Update changelog annotations
- Add test
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
* Update charts/kyverno-policies/Chart.yaml
Signed-off-by: shuting <shutting06@gmail.com>
* fix: Move test-autogen-none.yaml -> test-autogen-none-values.yaml
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
* fix: Run make codegen-helm-all
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Signed-off-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: shuting <shutting06@gmail.com>
---
charts/kyverno-policies/Chart.yaml | 18 ++----------------
charts/kyverno-policies/README.md | 1 +
.../ci/test-autogen-none-values.yaml | 2 ++
.../baseline/disallow-capabilities.yaml | 4 ++++
.../baseline/disallow-host-namespaces.yaml | 4 ++++
.../templates/baseline/disallow-host-path.yaml | 4 ++++
.../baseline/disallow-host-ports.yaml | 4 ++++
.../baseline/disallow-host-process.yaml | 4 ++++
.../disallow-privileged-containers.yaml | 4 ++++
.../baseline/disallow-proc-mount.yaml | 4 ++++
.../templates/baseline/disallow-selinux.yaml | 4 ++++
.../baseline/restrict-apparmor-profiles.yaml | 4 ++++
.../templates/baseline/restrict-seccomp.yaml | 4 ++++
.../templates/baseline/restrict-sysctls.yaml | 4 ++++
.../other/require-non-root-groups.yaml | 4 ++++
.../disallow-capabilities-strict.yaml | 4 ++++
.../disallow-privilege-escalation.yaml | 4 ++++
.../require-run-as-non-root-user.yaml | 4 ++++
.../restricted/require-run-as-nonroot.yaml | 4 ++++
.../restricted/restrict-seccomp-strict.yaml | 4 ++++
.../restricted/restrict-volume-types.yaml | 4 ++++
charts/kyverno-policies/values.yaml | 4 ++++
22 files changed, 81 insertions(+), 16 deletions(-)
create mode 100644 charts/kyverno-policies/ci/test-autogen-none-values.yaml
diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
index 107af24979..3c0221594d 100644
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@@ -24,20 +24,6 @@ annotations:
# valid kinds are: added, changed, deprecated, removed, fixed and security
artifacthub.io/changes: |
- kind: added
- description: Add possibility to manually set kyvernoVersion and avoid autodetection
- - kind: added
- description: Support for artifacthub.io/changes annotation
+ description: Add ability to configure autogen behavior
- kind: fixed
- description: Fix Kyverno version check when image tag contains registry port number
- - kind: fixed
- description: Ensure preconditions are present with default values
- - kind: added
- description: Support for failurePolicy setting in kyverno-policies helm chart
- - kind: added
- description: Add possibility to set validationFailureAction by Policy
- - kind: added
- description: Added ability to get additional policies from restricted
- - kind: fixed
- description: Applied fix in preconditions for background mode
- - kind: added
- description: Added case insensitivity guarantees to disallow-capabilities-strict
+ description: Support for customLabels, they were ignored up to now
diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
index 2061c7837d..48ae5e1b3f 100644
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@@ -74,6 +74,7 @@ The command removes all the Kubernetes components associated with the chart and
| validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
| policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
| policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. |
+| autogenControllers | string | `""` | Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`) For more info https://kyverno.io/docs/writing-policies/autogen/. |
| nameOverride | string | `nil` | Name override. |
| customLabels | object | `{}` | Additional labels. |
| background | bool | `true` | Policies background mode |
diff --git a/charts/kyverno-policies/ci/test-autogen-none-values.yaml b/charts/kyverno-policies/ci/test-autogen-none-values.yaml
new file mode 100644
index 0000000000..53ecdb411b
--- /dev/null
+++ b/charts/kyverno-policies/ci/test-autogen-none-values.yaml
@@ -0,0 +1,2 @@
+podSecurityStandard: restricted
+autogenControllers: none
diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
index 4feb2746de..9bb70d2da6 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -6,6 +6,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow Capabilities
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -17,6 +20,7 @@ metadata:
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Adding capabilities beyond those listed in the policy must be disallowed.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
index fd4c7e0a15..894beec574 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow Host Namespaces
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -18,6 +21,7 @@ metadata:
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should not be allowed access to host namespaces. This policy ensures
fields which make use of these host namespaces are unset or set to `false`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
index 24e2142ade..8793ef3a0b 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow hostPath
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -17,6 +20,7 @@ metadata:
HostPath volumes let Pods use host directories and volumes in containers.
Using host resources can be used to access shared data or escalate privileges
and should not be allowed. This policy ensures no hostPath volumes are in use.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
index 0505efcba7..67ec3b9c04 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow hostPorts
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -17,6 +20,7 @@ metadata:
Access to host ports allows potential snooping of network traffic and should not be
allowed, or at minimum restricted to a known list. This policy ensures the `hostPort`
field is unset or set to `0`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
index b778327b57..8ad2d0c873 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow hostProcess
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -18,6 +21,7 @@ metadata:
access to the Windows node. Privileged access to the host is disallowed in the baseline
policy. HostProcess pods are an alpha feature as of Kubernetes v1.22. This policy ensures
the `hostProcess` field, if present, is set to `false`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
index 81704fd5b1..1d65f0292b 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow Privileged Containers
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -16,6 +19,7 @@ metadata:
policies.kyverno.io/description: >-
Privileged mode disables most security mechanisms and must not be allowed. This policy
ensures Pods do not call for privileged mode.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
index 6df42e9ef8..c607738c73 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow procMount
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -18,6 +21,7 @@ metadata:
ensures nothing but the default procMount can be specified. Note that in order for users
to deviate from the `Default` procMount requires setting a feature gate at the API
server.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
index 4e4c17882f..89d0209dc1 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow SELinux
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -16,6 +19,7 @@ metadata:
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should not be allowed. This policy
ensures that the `seLinuxOptions` field is undefined.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
index 18866db8b4..b58c68771b 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Restrict AppArmor
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -19,6 +22,7 @@ metadata:
The default policy should prevent overriding or disabling the policy, or restrict
overrides to an allowed set of profiles. This policy ensures Pods do not
specify any other AppArmor profiles than `runtime/default` or `localhost/*`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
index e01f954b07..99dbcabc32 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Restrict Seccomp
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -17,6 +20,7 @@ metadata:
The seccomp profile must not be explicitly set to Unconfined. This policy,
requiring Kubernetes v1.19 or later, ensures that seccomp is unset or
set to `RuntimeDefault` or `Localhost`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
background: {{ .Values.background }}
{{- with index .Values "validationFailureActionByPolicy" $name }}
diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
index 2ae0519104..7e3da6ad56 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Restrict sysctls
policies.kyverno.io/category: Pod Security Standards (Baseline)
{{- if .Values.podSecuritySeverity }}
@@ -20,6 +23,7 @@ metadata:
Pod, and it is isolated from other Pods or processes on the same Node.
This policy ensures that only those "safe" subsets can be specified in
a Pod.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
index a7e8c5906e..759fab90af 100644
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/category: Sample
{{- if .Values.podSecuritySeverity }}
policies.kyverno.io/severity: {{ .Values.podSecuritySeverity | quote }}
@@ -18,6 +21,7 @@ metadata:
This policy ensures the `runAsGroup`, `supplementalGroups`, and `fsGroup` fields are set to a number
greater than zero (i.e., non root). A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index f3810516f3..9e84cfe75e 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -6,6 +6,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow Capabilities (Strict)
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -18,6 +21,7 @@ metadata:
policies.kyverno.io/description: >-
Adding capabilities other than `NET_BIND_SERVICE` is disallowed. In addition,
all containers must explicitly drop `ALL` capabilities.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
index c9114ef158..687a2eb45f 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Disallow Privilege Escalation
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -16,6 +19,7 @@ metadata:
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed.
This policy ensures the `allowPrivilegeEscalation` field is set to `false`.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
index 0954f7e7f5..f40877350e 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Require Run As Non-Root User
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -16,6 +19,7 @@ metadata:
policies.kyverno.io/description: >-
Containers must be required to run as non-root users. This policy ensures
`runAsUser` is either unset or set to a number greater than zero.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
index e67b2da501..406689f32e 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Require runAsNonRoot
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -17,6 +20,7 @@ metadata:
Containers must be required to run as non-root users. This policy ensures
`runAsNonRoot` is set to `true`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
index 6971a75bd6..af8888fe56 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@@ -5,6 +5,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Restrict Seccomp (Strict)
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -19,6 +22,7 @@ metadata:
requiring Kubernetes v1.19 or later, ensures that seccomp is
set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this
using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
index dc6d8c28ad..28180a7f93 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -6,6 +6,9 @@ kind: ClusterPolicy
metadata:
name: {{ $name }}
annotations:
+ {{- with .Values.autogenControllers }}
+ pod-policies.kyverno.io/autogen-controllers: {{ . }}
+ {{- end }}
policies.kyverno.io/title: Restrict Volume Types
policies.kyverno.io/category: Pod Security Standards (Restricted)
{{- if .Values.podSecuritySeverity }}
@@ -19,6 +22,7 @@ metadata:
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
This policy blocks any other type of volume other than those in the allow list.
+ labels: {{ include "kyverno-policies.labels" . | nindent 4 }}
spec:
{{- with index .Values "validationFailureActionByPolicy" $name }}
validationFailureAction: {{ toYaml . }}
diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml
index da7a2739c9..4fe5dc7fd6 100644
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@@ -84,6 +84,10 @@ policyPreconditions: {}
# operator: NotEquals
# value: "dcgm-exporter*"
+# -- Customize the target Pod controllers for the auto-generated rules. (Eg. `none`, `Deployment`, `DaemonSet,Deployment,StatefulSet`)
+# For more info https://kyverno.io/docs/writing-policies/autogen/.
+autogenControllers: ""
+
# -- Name override.
nameOverride: