Kyverno manifests are incompatible with the restricted Pod Security
Standards included with Kubernetes 1.22 and 1.23 because the Pod
Security admission controller looks for "ALL" in securityContext.capabilities.drop,
but does not accept "all".
1b741f89aa/policy/check_capabilities_restricted.go (L88)
Signed-off-by: Ryan White <ryan@alzabo.io>
* fix validation check on UPDATE
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* prevent policy bypass using preconditions
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* separate replace
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add error handling
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixed bug where negation of kernel version caused cpolr to fail
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* small fix in function validateString
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Added necessary tests
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Added one more test
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* Add more tests and added a policy to the test folder
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
* added policy for test cli
Signed-off-by: Tathagata Paul <tathagatapaul7@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* allow root cert for keyless attestations checks
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* add logs and improve var names
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* make fmt
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* handle err in sig loading
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
Co-authored-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Adds e2e test for JSON patch mutate policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies the config to use the optimal version of that policy
Signed-off-by: afzal442 <afzal442@gmail.com>
* Fixes the lint issuue
Signed-off-by: afzal442 <afzal442@gmail.com>
* modifies test to pass
Signed-off-by: afzal442 <afzal442@gmail.com>
* adds changes to resources
Signed-off-by: afzal442 <afzal442@gmail.com>
Co-authored-by: shuting <shutting06@gmail.com>
Co-authored-by: shuting <shuting@nirmata.com>
* Update kyverno-policies chart with latest pod-security policies
Fixes#3063Fixes#2277
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README to have better example
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use chart testing during e2e to test against ci values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix e2e tests for Helm chart
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Fix Kyverno chart testing to actually test values, and fix networkpolicy template
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update README for exclusion
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Allow adding 'other' policies via Helm
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update Chart.yaml for kyverno-policies
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Bump minimum Kubernetes version in charts
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Update kyverno-policies chart readme
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use version that should catch all pre-releases (part 2)
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
* Use same logic to get git tag by using Makefile target for updating Helm values
Signed-off-by: Trey Dockendorf <tdockendorf@osc.edu>
Co-authored-by: shuting <shuting@nirmata.com>
Co-authored-by: Prateek Pandey <prateekpandey14@gmail.com>
* - update dev images tag; - update chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* update to use dev tag when setting up e2e tests infra
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* default chart test image tag for busybox to latest
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* set image tag to latest for chart testing
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* correct tag
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* remove test tag in e2e.yaml
Signed-off-by: ShutingZhao <shuting@nirmata.com>
* add Sam as a maintainer
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* update maintainers
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* address comments
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* fixed link
Signed-off-by: Jim Bugwadia <jim@nirmata.com>
As part of tighten and clarify Kyverno roles and
permissions, PR #2799 we missed to update the charts
templates events clusterroles.
Signed-off-by: prateekpandey14 <prateekpandey14@gmail.com>
* Fix variable substitution when inline jmespath objects are defined
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
* Add additional test cases which use brackets
Signed-off-by: Sambhav Kothari <sambhavs.email@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
Removes the need to specify an image pull secret to make use of cloud
provider credentials. As I understand it, this should be fine outside of
cloud provider contexts.
As part of this, I've switched to using authn/kubernetes, which I believe
is preferable to k8schain.
Signed-off-by: Rob Best <robertbest89@gmail.com>
Co-authored-by: Jim Bugwadia <jim@nirmata.com>
* add nodeAffinity for kyverno helm chart
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* quite better and more open solution for affinity in helm chart. it assist all kinds of other affinitys
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix typo in parameter
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* make affinity selection easier - return to antiAffinity for less change
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* return to antiAffinity to make change easier
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* add documentation for new values and helm functions
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* simplified again the use of new affinities. Dont need to extra enable if
you insert affinities
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* fix "if" of the affinity block
Co-authored-by: treydock <treydock@gmail.com>
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* Now finaly renamed values to avoid braking change; adjust readme for the
parameter names
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
* alphabetic order readme
Signed-off-by: Kevin Welter <kevin.welter@humanity-it.com>
Co-authored-by: Kevin Welter <kevin.welter@digital-nx.com>
Co-authored-by: treydock <treydock@gmail.com>
