From eadf359acbfb82b04637dd0ee63d5c9baa9e083a Mon Sep 17 00:00:00 2001 From: Ben Date: Thu, 9 May 2024 10:03:11 +0300 Subject: [PATCH 1/3] Aligining rules with v1 release Signed-off-by: Ben --- apis/k8s-v1/kustomization.yaml | 10 ++++++++++ apis/k8s-v1/patch.json | 7 +++++++ controls/C-0001/policy.yaml | 2 +- controls/C-0004/policy.yaml | 2 +- controls/C-0009/policy.yaml | 2 +- controls/C-0016/policy.yaml | 2 +- controls/C-0017/policy.yaml | 2 +- controls/C-0018/policy.yaml | 2 +- controls/C-0020/policy.yaml | 2 +- controls/C-0034/policy.yaml | 2 +- controls/C-0038/policy.yaml | 2 +- controls/C-0041/policy.yaml | 2 +- controls/C-0042/policy.yaml | 2 +- controls/C-0044/policy.yaml | 2 +- controls/C-0045/policy.yaml | 2 +- controls/C-0046/policy.yaml | 2 +- controls/C-0048/policy.yaml | 2 +- controls/C-0050/policy.yaml | 2 +- controls/C-0055/policy.yaml | 2 +- controls/C-0056/policy.yaml | 2 +- controls/C-0057/policy.yaml | 2 +- controls/C-0061/policy.yaml | 2 +- controls/C-0062/policy.yaml | 2 +- controls/C-0073/policy.yaml | 2 +- controls/C-0074/policy.yaml | 2 +- controls/C-0075/policy.yaml | 2 +- controls/C-0076/policy.yaml | 2 +- controls/C-0077/policy.yaml | 2 +- controls/C-0078/policy.yaml | 2 +- .../deny-pods-without-app-label-policy-binding.yaml | 2 +- .../deny-pods-without-app-label-policy.yaml | 2 +- runtime-policies/attach/policy.yaml | 3 +-- runtime-policies/exec/policy.yaml | 3 +-- runtime-policies/hostmount/policy.yaml | 5 +---- runtime-policies/insecure-capabilities/policy.yaml | 5 +---- runtime-policies/portforward/policy.yaml | 5 ++--- runtime-policies/privileged/policy.yaml | 2 +- test-resources/policy-binding.yaml | 2 +- 38 files changed, 54 insertions(+), 46 deletions(-) create mode 100644 apis/k8s-v1/kustomization.yaml create mode 100644 apis/k8s-v1/patch.json diff --git a/apis/k8s-v1/kustomization.yaml b/apis/k8s-v1/kustomization.yaml new file mode 100644 index 0000000..71585cf --- /dev/null +++ b/apis/k8s-v1/kustomization.yaml @@ -0,0 +1,10 @@ +bases: +- ../../controls +- ../../runtime-policies +patches: + - target: + group: admissionregistration.k8s.io + version: v1beta1 + kind: ValidatingAdmissionPolicy + name: "" + path: patch.json \ No newline at end of file diff --git a/apis/k8s-v1/patch.json b/apis/k8s-v1/patch.json new file mode 100644 index 0000000..27623ea --- /dev/null +++ b/apis/k8s-v1/patch.json @@ -0,0 +1,7 @@ +[ + { + "op": "replace", + "path": "/apiVersion", + "value": "admissionregistration.k8s.io/v1" + } +] \ No newline at end of file diff --git a/controls/C-0001/policy.yaml b/controls/C-0001/policy.yaml index 671d6b1..895cd7d 100644 --- a/controls/C-0001/policy.yaml +++ b/controls/C-0001/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0001-deny-forbidden-container-registries" diff --git a/controls/C-0004/policy.yaml b/controls/C-0004/policy.yaml index f5f9b55..74c495f 100644 --- a/controls/C-0004/policy.yaml +++ b/controls/C-0004/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0004-deny-resources-with-memory-limit-or-request-not-set" diff --git a/controls/C-0009/policy.yaml b/controls/C-0009/policy.yaml index 5a9c10c..4440a47 100644 --- a/controls/C-0009/policy.yaml +++ b/controls/C-0009/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0009-deny-resources-with-memory-or-cpu-limit-not-set" diff --git a/controls/C-0016/policy.yaml b/controls/C-0016/policy.yaml index ac7befb..a3ee2b4 100644 --- a/controls/C-0016/policy.yaml +++ b/controls/C-0016/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0016-allow-privilege-escalation" diff --git a/controls/C-0017/policy.yaml b/controls/C-0017/policy.yaml index 18cbdd2..edb31bc 100644 --- a/controls/C-0017/policy.yaml +++ b/controls/C-0017/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0017-deny-resources-with-mutable-container-filesystem" diff --git a/controls/C-0018/policy.yaml b/controls/C-0018/policy.yaml index bd376a8..7809b72 100644 --- a/controls/C-0018/policy.yaml +++ b/controls/C-0018/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0018-deny-resources-without-configured-readiness-probes" diff --git a/controls/C-0020/policy.yaml b/controls/C-0020/policy.yaml index 0db920d..c8fc166 100644 --- a/controls/C-0020/policy.yaml +++ b/controls/C-0020/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0020-deny-resources-having-volumes-with-potential-access-to-known-cloud-credentials" diff --git a/controls/C-0034/policy.yaml b/controls/C-0034/policy.yaml index 75e124f..469dfb6 100644 --- a/controls/C-0034/policy.yaml +++ b/controls/C-0034/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0034-deny-resources-with-automount-service-account-token-enabled" diff --git a/controls/C-0038/policy.yaml b/controls/C-0038/policy.yaml index 9466f1c..df8655e 100644 --- a/controls/C-0038/policy.yaml +++ b/controls/C-0038/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0038-deny-resources-with-host-ipc-or-pid-privileges" diff --git a/controls/C-0041/policy.yaml b/controls/C-0041/policy.yaml index 010d3ac..12d345a 100644 --- a/controls/C-0041/policy.yaml +++ b/controls/C-0041/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0041-deny-resources-with-host-network-access" diff --git a/controls/C-0042/policy.yaml b/controls/C-0042/policy.yaml index 60139cf..4871e3c 100644 --- a/controls/C-0042/policy.yaml +++ b/controls/C-0042/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0042-deny-resources-with-ssh-server-running" diff --git a/controls/C-0044/policy.yaml b/controls/C-0044/policy.yaml index 58ebfcf..ec97ad3 100644 --- a/controls/C-0044/policy.yaml +++ b/controls/C-0044/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0044-deny-resources-with-host-port" diff --git a/controls/C-0045/policy.yaml b/controls/C-0045/policy.yaml index ed57c20..c1e53bf 100644 --- a/controls/C-0045/policy.yaml +++ b/controls/C-0045/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0045-deny-workloads-with-hostpath-volumes-readonly-not-false" diff --git a/controls/C-0046/policy.yaml b/controls/C-0046/policy.yaml index d117cc2..5c71db7 100644 --- a/controls/C-0046/policy.yaml +++ b/controls/C-0046/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0046-deny-resources-with-insecure-capabilities" diff --git a/controls/C-0048/policy.yaml b/controls/C-0048/policy.yaml index 1902254..83ea00f 100644 --- a/controls/C-0048/policy.yaml +++ b/controls/C-0048/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0048-deny-workloads-with-hostpath-mounts" diff --git a/controls/C-0050/policy.yaml b/controls/C-0050/policy.yaml index 2793a79..35492ae 100644 --- a/controls/C-0050/policy.yaml +++ b/controls/C-0050/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0050-deny-resources-with-cpu-limit-or-request-not-set" diff --git a/controls/C-0055/policy.yaml b/controls/C-0055/policy.yaml index 28fc10b..4886199 100644 --- a/controls/C-0055/policy.yaml +++ b/controls/C-0055/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0055-linux-hardening" diff --git a/controls/C-0056/policy.yaml b/controls/C-0056/policy.yaml index 5b37cb9..8ea33aa 100644 --- a/controls/C-0056/policy.yaml +++ b/controls/C-0056/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0056-deny-resources-without-configured-liveliness-probes" diff --git a/controls/C-0057/policy.yaml b/controls/C-0057/policy.yaml index 2a4320e..96937ca 100644 --- a/controls/C-0057/policy.yaml +++ b/controls/C-0057/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0057-privileged-container-denied" diff --git a/controls/C-0061/policy.yaml b/controls/C-0061/policy.yaml index 4af712b..7b48185 100644 --- a/controls/C-0061/policy.yaml +++ b/controls/C-0061/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0061-deny-workloads-in-default-namespace" diff --git a/controls/C-0062/policy.yaml b/controls/C-0062/policy.yaml index 15ddc65..ed2c225 100644 --- a/controls/C-0062/policy.yaml +++ b/controls/C-0062/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0062-deny-resources-having-containers-with-sudo-in-entrypoint" diff --git a/controls/C-0073/policy.yaml b/controls/C-0073/policy.yaml index c3db9d4..3b67d7e 100644 --- a/controls/C-0073/policy.yaml +++ b/controls/C-0073/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0073-deny-naked-pods" diff --git a/controls/C-0074/policy.yaml b/controls/C-0074/policy.yaml index f0985c7..9f63b07 100644 --- a/controls/C-0074/policy.yaml +++ b/controls/C-0074/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0074-resources-mounting-docker-socket-denied" diff --git a/controls/C-0075/policy.yaml b/controls/C-0075/policy.yaml index a33fa01..d9854a0 100644 --- a/controls/C-0075/policy.yaml +++ b/controls/C-0075/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0075-deny-resources-with-image-pull-policy-not-set-to-always-for-latest-tag" diff --git a/controls/C-0076/policy.yaml b/controls/C-0076/policy.yaml index e8a0d0a..54d2dbe 100644 --- a/controls/C-0076/policy.yaml +++ b/controls/C-0076/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0076-deny-resources-without-configured-list-of-labels-not-set" diff --git a/controls/C-0077/policy.yaml b/controls/C-0077/policy.yaml index bbf99ac..9eaf4db 100644 --- a/controls/C-0077/policy.yaml +++ b/controls/C-0077/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set" diff --git a/controls/C-0078/policy.yaml b/controls/C-0078/policy.yaml index 644cb1c..edc4274 100644 --- a/controls/C-0078/policy.yaml +++ b/controls/C-0078/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "kubescape-c-0078-only-allow-images-from-allowed-registry" diff --git a/docs/validating-admission-policies/deny-pods-without-app-label-policy-binding.yaml b/docs/validating-admission-policies/deny-pods-without-app-label-policy-binding.yaml index 908b6f8..4c15e2a 100644 --- a/docs/validating-admission-policies/deny-pods-without-app-label-policy-binding.yaml +++ b/docs/validating-admission-policies/deny-pods-without-app-label-policy-binding.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: deny-pods-without-app-label-binding diff --git a/docs/validating-admission-policies/deny-pods-without-app-label-policy.yaml b/docs/validating-admission-policies/deny-pods-without-app-label-policy.yaml index 50e2a22..df0a62b 100644 --- a/docs/validating-admission-policies/deny-pods-without-app-label-policy.yaml +++ b/docs/validating-admission-policies/deny-pods-without-app-label-policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: deny-pods-without-app-label diff --git a/runtime-policies/attach/policy.yaml b/runtime-policies/attach/policy.yaml index 9975a70..adfd82b 100644 --- a/runtime-policies/attach/policy.yaml +++ b/runtime-policies/attach/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-attach @@ -13,4 +13,3 @@ spec: validations: - expression: "false" message: "attach is not allowed" - reason: "Medium" diff --git a/runtime-policies/exec/policy.yaml b/runtime-policies/exec/policy.yaml index cddc2b6..90928ff 100644 --- a/runtime-policies/exec/policy.yaml +++ b/runtime-policies/exec/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-exec @@ -13,4 +13,3 @@ spec: validations: - expression: "false" message: "exec is not allowed" - reason: "High" diff --git a/runtime-policies/hostmount/policy.yaml b/runtime-policies/hostmount/policy.yaml index d9e201f..5f12c87 100644 --- a/runtime-policies/hostmount/policy.yaml +++ b/runtime-policies/hostmount/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-host-mount @@ -21,10 +21,7 @@ spec: validations: - expression: "object.kind != 'Pod' || object.spec.volumes.all(vol, !(has(vol.hostPath)))" message: "There are one or more hostPath mounts in the Pod! (see more at https://hub.armosec.io/docs/c-0048)" - reason: "Medium" - expression: "['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.volumes.all(vol, !(has(vol.hostPath)))" message: "There are one or more hostPath mounts in the Workload! (see more at https://hub.armosec.io/docs/c-0048)" - reason: "Medium" - expression: "object.kind != 'CronJob' || object.spec.jobTemplate.spec.volumes.all(vol, !(has(vol.hostPath)))" message: "There are one or more hostPath mounts in the CronJob! (see more at https://hub.armosec.io/docs/c-0048)" - reason: "Medium" diff --git a/runtime-policies/insecure-capabilities/policy.yaml b/runtime-policies/insecure-capabilities/policy.yaml index 1f8ed92..e9011a2 100644 --- a/runtime-policies/insecure-capabilities/policy.yaml +++ b/runtime-policies/insecure-capabilities/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-insecure-capabilities @@ -29,7 +29,6 @@ spec: container.securityContext.capabilities.add.all(capability, capability != insecureCapability) )) message: "Pod has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)" - reason: "High" - expression: > ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability, @@ -37,7 +36,6 @@ spec: container.securityContext.capabilities.add.all(capability, capability != insecureCapability) )) message: "Workload has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)" - reason: "High" - expression: > object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, params.settings.insecureCapabilities.all(insecureCapability, @@ -45,4 +43,3 @@ spec: container.securityContext.capabilities.add.all(capability, capability != insecureCapability) )) message: "CronJob has one or more containers with insecure capabilities! (see more at https://hub.armosec.io/docs/c-0046)" - reason: "High" diff --git a/runtime-policies/portforward/policy.yaml b/runtime-policies/portforward/policy.yaml index 4672c2f..efb3c71 100644 --- a/runtime-policies/portforward/policy.yaml +++ b/runtime-policies/portforward/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-portforward @@ -7,10 +7,9 @@ spec: resourceRules: - apiGroups: [""] apiVersions: ["v1"] - operations: ["UPDATE", "PATCH", "CONNECT"] + operations: ["UPDATE", "CONNECT"] resources: ["pods/portforward"] failurePolicy: Fail validations: - expression: "false" message: "portforward is not allowed" - reason: "High" diff --git a/runtime-policies/privileged/policy.yaml b/runtime-policies/privileged/policy.yaml index e67fd22..8f94d50 100644 --- a/runtime-policies/privileged/policy.yaml +++ b/runtime-policies/privileged/policy.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: cluster-policy-deny-priviliged-flag diff --git a/test-resources/policy-binding.yaml b/test-resources/policy-binding.yaml index 4dd6716..ed38306 100644 --- a/test-resources/policy-binding.yaml +++ b/test-resources/policy-binding.yaml @@ -1,4 +1,4 @@ -apiVersion: admissionregistration.k8s.io/v1beta1 +apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: placeholder From f82067475ae596ccf4444426359098085c7ab886 Mon Sep 17 00:00:00 2001 From: Ben Date: Thu, 9 May 2024 10:16:06 +0300 Subject: [PATCH 2/3] Changin CI process for v1 Signed-off-by: Ben --- .github/workflows/main.yaml | 4 +--- .github/workflows/release.yaml | 30 ++++-------------------------- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 49b2f4d..314f61c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -19,9 +19,7 @@ jobs: id: minikube uses: slashben/setup-minikube@master with: - feature-gates: 'ValidatingAdmissionPolicy=true' - extra-config: 'apiserver.runtime-config=admissionregistration.k8s.io/v1beta1' - kubernetes-version: v1.28.0-rc.1 + kubernetes-version: v1.30.0 container-runtime: containerd - uses: actions/setup-python@v4 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 39cd379..b56a54c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -7,30 +7,6 @@ on: - "v*" jobs: - - test-all-policies: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: start minikube - id: minikube - uses: slashben/setup-minikube@master - with: - feature-gates: 'ValidatingAdmissionPolicy=true' - extra-config: 'apiserver.runtime-config=admissionregistration.k8s.io/v1beta1' - kubernetes-version: v1.28.0-rc.1 - container-runtime: containerd - - uses: actions/setup-python@v4 - with: - python-version: '3.10' - - uses: azure/setup-kubectl@v3 - - name: Running all control policy tests - run: | - kubectl version - pip install --upgrade pip - pip install -r requirements.txt - ./scripts/run-all-control-tests.sh - release: needs: test-all-policies runs-on: ubuntu-latest @@ -49,11 +25,12 @@ jobs: - name: Create release artifacts run: | mkdir release + kubectl kustomize apis/k8s-v1/ > release/kubescape-validating-admission-policies-v1.yaml kubectl kustomize apis/k8s-v1beta1/ > release/kubescape-validating-admission-policies-v1beta1.yaml kubectl kustomize apis/x-k8s-v1alpha1/ > release/kubescape-validating-admission-policies-x-v1alpha1.yaml kubectl kustomize apis/k8s-v1alpha1/ > release/kubescape-validating-admission-policies-v1alpha1.yaml - # Making a copy of the v1beta1 file to be used as the default policy release artifact - cp release/kubescape-validating-admission-policies-v1beta1.yaml release/kubescape-validating-admission-policies.yaml + # Making a copy of the v1 file to be used as the default policy release artifact + cp release/kubescape-validating-admission-policies-v1.yaml release/kubescape-validating-admission-policies.yaml - name: Create a GitHub release uses: softprops/action-gh-release@v1 @@ -61,6 +38,7 @@ jobs: with: files: | release/kubescape-validating-admission-policies.yaml + release/kubescape-validating-admission-policies-v1.yaml release/kubescape-validating-admission-policies-v1beta1.yaml release/kubescape-validating-admission-policies-x-v1alpha1.yaml release/kubescape-validating-admission-policies-v1alpha1.yaml From be9366263616055addd64b006edbffd6b6054bdf Mon Sep 17 00:00:00 2001 From: Ben Date: Thu, 9 May 2024 10:28:12 +0300 Subject: [PATCH 3/3] Updating readme for v1 Signed-off-by: Ben --- README.md | 8 +++----- docs/validating-admission-policies/README.md | 12 ++++++++++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 357b2d8..d6383e4 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,10 @@ This is a library of policies based on [Kubescape controls](https://hub.armosec. ## Using the library -*Note: Kubernetes Validating Admission Policy feature _is _still in _its_ early phase_. -It has been released as an betav1 feature in Kubernetes 1.28, -and you need to enable its feature gate to be able to use it. Therefore it is not yet production ready. Look [here](docs/validating-admission-policies/README.md) for _how to _set up_ a playground_.* +Kubernetes Validating Admission Policy (or *VAP*) feature was released as a GA feature in version 1.30 and it is a releatively new feature (this library supports alpha and beta versions as well). Before you start playing with it, make sure you have a cluster that supports this feature. Look [here](docs/validating-admission-policies/README.md) for _how to _set up_ a playground_.* -Install latest the release of the library: +Install latest the release of the library (`v1` version of *VAP*): ```bash # Install configuration CRD kubectl apply -f https://github.com/kubescape/cel-admission-library/releases/latest/download/policy-configuration-definition.yaml @@ -26,7 +24,7 @@ You can apply policies to objects, for example, to apply control [C-0016](https: ```bash # Creating a binding kubectl apply -f - <