diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml index 05b1e3cf76..3d4184aeb4 100644 --- a/charts/kyverno-policies/Chart.yaml +++ b/charts/kyverno-policies/Chart.yaml @@ -29,3 +29,5 @@ annotations: description: Fix Kyverno version check when image tag contains registry port number - kind: fixed description: Ensure preconditions are present with default values + - kind: added + description: Support for failurePolicy setting in kyverno-policies helm chart diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md index 5713c2aa5e..b6f022946e 100644 --- a/charts/kyverno-policies/README.md +++ b/charts/kyverno-policies/README.md @@ -68,6 +68,7 @@ The command removes all the Kubernetes components associated with the chart and | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. | | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. | | validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. | +| failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ | | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. | | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. | | policyPreconditions | object | `{}` | Add preconditions to individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyPreconditions` map. | diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml index 7395b70b89..2e6ff8d21f 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml @@ -23,6 +23,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: adding-capabilities match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml index 6210b59d2d..c24e8bbda9 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml @@ -24,6 +24,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: host-namespaces match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml index 4a3f270542..fe04cd6327 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml @@ -23,6 +23,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: host-path match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml index 48afcc71f3..57511b9aa6 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml @@ -16,13 +16,14 @@ metadata: policies.kyverno.io/description: >- Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures the `hostPort` - field is unset or set to `0`. + field is unset or set to `0`. spec: validationFailureAction: {{ .Values.validationFailureAction }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: host-ports-none match: @@ -54,4 +55,4 @@ spec: containers: - =(ports): - =(hostPort): 0 -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml index b71547aab5..2ce2733cda 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml @@ -24,6 +24,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: host-process-containers match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml index c21b1e1777..79e13521da 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml @@ -22,6 +22,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: privileged-containers match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml index 7336eca151..0d6a298179 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml @@ -24,6 +24,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-proc-mount match: diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml index dfb3e64871..6c18ad991d 100644 --- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml +++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml @@ -22,6 +22,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: selinux-type match: diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml index e3fc774812..b59b661041 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml @@ -25,6 +25,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: app-armor match: diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml index e593b000a0..faa98d0c4e 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml @@ -14,8 +14,8 @@ metadata: kyverno.io/kyverno-version: 1.6.0 kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/description: >- - The seccomp profile must not be explicitly set to Unconfined. This policy, - requiring Kubernetes v1.19 or later, ensures that seccomp is unset or + The seccomp profile must not be explicitly set to Unconfined. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is unset or set to `RuntimeDefault` or `Localhost`. spec: background: {{ .Values.background }} @@ -23,6 +23,7 @@ spec: {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-seccomp match: @@ -50,7 +51,7 @@ spec: spec: =(securityContext): =(seccompProfile): - =(type): "RuntimeDefault | Localhost" + =(type): "RuntimeDefault | Localhost" =(ephemeralContainers): - =(securityContext): =(seccompProfile): diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml index 8ade370fbb..30786082a8 100644 --- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml +++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml @@ -26,6 +26,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-sysctls match: diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml index 3aceadf45e..d81de6abea 100644 --- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml +++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml @@ -24,6 +24,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-runasgroup match: diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml index 0284190ea6..0fa82a79b3 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml @@ -24,6 +24,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: require-drop-all match: diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml index b95bf4acb0..add547a13d 100644 --- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml +++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml @@ -22,6 +22,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: privilege-escalation match: diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml index b2b23e2e88..4b24c184c1 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml @@ -22,6 +22,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: run-as-non-root-user match: diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml index d632652665..dcfcfb73eb 100644 --- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml +++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml @@ -23,6 +23,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: run-as-non-root match: diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml index fb67c664fd..8a2670761c 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml @@ -15,16 +15,17 @@ metadata: kyverno.io/kubernetes-version: "1.22-1.23" policies.kyverno.io/description: >- The seccomp profile in the Restricted group must not be explicitly set to Unconfined - but additionally must also not allow an unset value. This policy, - requiring Kubernetes v1.19 or later, ensures that seccomp is + but additionally must also not allow an unset value. This policy, + requiring Kubernetes v1.19 or later, ensures that seccomp is set to `RuntimeDefault` or `Localhost`. A known issue prevents a policy such as this using `anyPattern` from being persisted properly in Kubernetes 1.23.0-1.23.2. spec: - background: {{ .Values.background }} validationFailureAction: {{ .Values.validationFailureAction }} {{- with concat (index .Values "validationFailureActionOverrides" "all") (default list (index .Values "validationFailureActionOverrides" $name)) }} validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} + background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: check-seccomp-strict match: diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml index c5b05764c9..857cc88975 100644 --- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml +++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml @@ -25,6 +25,7 @@ spec: validationFailureActionOverrides: {{ toYaml . | nindent 4 }} {{- end }} background: {{ .Values.background }} + failurePolicy: {{ .Values.failurePolicy }} rules: - name: restricted-volumes match: diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml index 4ae3d291e3..bccf2e5eaa 100644 --- a/charts/kyverno-policies/values.yaml +++ b/charts/kyverno-policies/values.yaml @@ -16,6 +16,10 @@ includeOtherPolicies: [] # For more info https://kyverno.io/docs/writing-policies/validate. validationFailureAction: audit +# -- API server behavior if the webhook fails to respond ('Ignore', 'Fail') +# For more info: https://kyverno.io/docs/writing-policies/policy-settings/ +failurePolicy: Fail + # -- Define validationFailureActionOverrides for specific policies. # The overrides for `all` will apply to all policies. validationFailureActionOverrides: