Merge branch 'main' into fykaa/multitenancy-benchmarks

nirmata · Feb 23, 2024 · 54a7f32 · 54a7f32
2 parents aa60116 + ae915b2
commit 54a7f32
Show file tree

Hide file tree

Showing 392 changed files with 752 additions and 25,254 deletions.
diff --git a/.github/workflows/chainsaw-e2e.yaml b/.github/workflows/chainsaw-e2e.yaml
@@ -2,11 +2,11 @@ name: ChainSaw Test
 on:
   push:
     branches:
-      - 'main'
+      - 'release-chart-1.10'
 
   pull_request:
     branches:
-      - 'main'
+      - 'release-chart-1.10'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -20,8 +20,8 @@ jobs:
       fail-fast: false    
       matrix:
         k8s-version: [v1.29.2, v1.28.7, v1.27.11, v1.26.14, v1.25.16, v1.24.12, v1.23.17]
-        # For n4k-versions 1.9
-        n4k-chart-version: [1.6.11]
+        # For n4k-versions 1.10
+        n4k-chart-version: [3.0.18]
 
     steps:
       - name: Checkout

diff --git a/.github/workflows/chart-lint.yaml b/.github/workflows/chart-lint.yaml
@@ -4,6 +4,7 @@ on:
   pull_request:
     branches:
       - main
+      - release-*
     paths:
       - charts/**
       - .github/workflows/release-chart.yaml
@@ -28,9 +29,9 @@ jobs:
       - name: Run chart-testing (list-changed)
         id: list-changed
         run: |
-          changed=$(ct list-changed --target-branch main)
+          changed=$(ct list-changed --target-branch ${{ github.event.pull_request.base.ref }})
           if [[ -n "$changed" ]]; then
             echo "::set-output name=changed::true"
           fi
       - name: Run chart-testing (lint)
-        run: ct lint --target-branch main
+        run: ct lint --target-branch ${{ github.event.pull_request.base.ref }}
diff --git a/.github/workflows/chart-release.yaml b/.github/workflows/chart-release.yaml
@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+      - release-*
 
 jobs:
   releasechart:

diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml
@@ -2,10 +2,10 @@ name: Kyverno CLI Test
 on:
   push:
     branches:
-      - main
+      - kyverno-1.10
   pull_request:
     branches:
-      - main
+      - kyverno-1.10
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        n4k-version: [v1.9.0-n4kbuild.3]
+        n4k-version: [v1.10.0-n4k.nirmata.1]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

diff --git a/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml b/best-practices/disallow-empty-ingress-host/disallow_empty_ingress_host.yaml
@@ -6,13 +6,14 @@ metadata:
     policies.kyverno.io/title: Disallow empty Ingress host
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
       An ingress resource needs to define an actual host name
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: false
   rules:
     - name: disallow-empty-ingress-host

diff --git a/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml b/best-practices/disallow_cri_sock_mount/disallow_cri_sock_mount.yaml
@@ -7,14 +7,15 @@ metadata:
     policies.kyverno.io/category: Best Practices, EKS Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/description: >-
       Container daemon socket bind mounts allows access to the container engine on the
       node. This access can be used for privilege escalation and to manage containers
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-docker-sock-mount

diff --git a/best-practices/disallow_default_namespace/disallow_default_namespace.yaml b/best-practices/disallow_default_namespace/disallow_default_namespace.yaml
@@ -5,6 +5,7 @@ metadata:
   annotations:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/title: Disallow Default Namespace
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/category: Multi-Tenancy
     policies.kyverno.io/severity: medium
@@ -18,7 +19,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-namespace

diff --git a/best-practices/disallow_latest_tag/disallow_latest_tag.yaml b/best-practices/disallow_latest_tag/disallow_latest_tag.yaml
@@ -7,13 +7,14 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       The ':latest' tag is mutable and can lead to unexpected errors if the
       image changes. A best practice is to use an immutable tag that maps to
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: require-image-tag

diff --git a/best-practices/require_drop_all/require_drop_all.yaml b/best-practices/require_drop_all/require_drop_all.yaml
@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Capabilities permit privileged actions without giving full root access. All
@@ -15,7 +16,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: require-drop-all
@@ -24,11 +25,9 @@ spec:
         - resources:
             kinds:
               - Pod
-      preconditions:
-        all:
-        - key: "{{ request.operation || 'BACKGROUND' }}"
-          operator: NotEquals
-          value: DELETE
+            operations:
+            - CREATE
+            - UPDATE
       validate:
         message: >-
           Containers must drop `ALL` capabilities.

diff --git a/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml b/best-practices/require_drop_cap_net_raw/require_drop_cap_net_raw.yaml
@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/minversion: 1.6.0
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Capabilities permit privileged actions without giving full root access. The
@@ -16,7 +17,7 @@ metadata:
       ability. Note that this policy also illustrates how to cover drop entries in any
       case although this may not strictly conform to the Pod Security Standards.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
     - name: require-drop-cap-net-raw
@@ -25,11 +26,9 @@ spec:
         - resources:
             kinds:
               - Pod
-      preconditions:
-        all:
-        - key: "{{ request.operation || 'BACKGROUND' }}"
-          operator: NotEquals
-          value: DELETE
+            operations:
+            - CREATE
+            - UPDATE
       validate:
         message: >-
           Containers must drop the `CAP_NET_RAW` capability.

diff --git a/best-practices/require_labels/require_labels.yaml b/best-practices/require_labels/require_labels.yaml
@@ -6,14 +6,15 @@ metadata:
     policies.kyverno.io/title: Require Labels
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod, Label
     policies.kyverno.io/description: >-
       Define and use labels that identify semantic attributes of your application or Deployment.
       A common set of labels allows tools to work collaboratively, describing objects in a common manner that
       all tools can understand. The recommended labels describe applications in a way that can be
       queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: check-for-labels

diff --git a/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml b/best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml
@@ -8,6 +8,7 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       As application workloads share cluster resources, it is important to limit resources
       requested and consumed by each Pod. It is recommended to require resource requests and
@@ -16,7 +17,7 @@ metadata:
       This policy validates that all containers have something specified for memory and CPU
       requests and memory limits.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-resources

diff --git a/best-practices/require_probes/require_probes.yaml b/best-practices/require_probes/require_probes.yaml
@@ -7,6 +7,7 @@ metadata:
     policies.kyverno.io/title: Require Pod Probes
     policies.kyverno.io/category: Best Practices, EKS Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       Liveness and readiness probes need to be configured to correctly manage a Pod's
@@ -17,7 +18,7 @@ metadata:
       This policy validates that all containers have one of livenessProbe, readinessProbe,
       or startupProbe defined.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-probes

diff --git a/best-practices/require_ro_rootfs/require_ro_rootfs.yaml b/best-practices/require_ro_rootfs/require_ro_rootfs.yaml
@@ -8,14 +8,15 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       A read-only root file system helps to enforce an immutable infrastructure strategy;
       the container only needs to write on the mounted volume that persists the state.
       An immutable root filesystem can also prevent malicious binaries from writing to the
       host system. This policy validates that containers define a securityContext
       with `readOnlyRootFilesystem: true`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-readOnlyRootFilesystem

diff --git a/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml b/best-practices/restrict-service-external-ips/restrict-service-external-ips.yaml
@@ -7,13 +7,14 @@ metadata:
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Service
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       Service externalIPs can be used for a MITM attack (CVE-2020-8554).
       Restrict externalIPs or limit to a known set of addresses.
       See: https://github.com/kyverno/kyverno/issues/1367. This policy validates
       that the `externalIPs` field is not set on a Service.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: check-ips

diff --git a/best-practices/restrict_node_port/restrict_node_port.yaml b/best-practices/restrict_node_port/restrict_node_port.yaml
@@ -6,6 +6,7 @@ metadata:
     policies.kyverno.io/title: Disallow NodePort
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Service
     policies.kyverno.io/description: >-
       A Kubernetes Service of type NodePort uses a host port to receive traffic from
@@ -14,7 +15,7 @@ metadata:
       with additional upstream security checks. This policy validates that any new Services
       do not use the `NodePort` type.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-nodeport

diff --git a/charts/best-practices-k8s/Chart.yaml b/charts/best-practices-k8s/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubernetes-best-practice-policies
 description: Kubernetes Best Practice policy set
 type: application
-version: 0.2.1
+version: 0.3.0-rc1
 appVersion: 0.1.0
 keywords:
   - kubernetes

diff --git a/...ty/templates/disallow_cri_sock_mount.yaml → ...ces-k8s/pols/disallow_cri_sock_mount.yaml b/...ty/templates/disallow_cri_sock_mount.yaml → ...ces-k8s/pols/disallow_cri_sock_mount.yaml
@@ -8,13 +8,14 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/description: >-
       Container daemon socket bind mounts allows access to the container engine on the
       node. This access can be used for privilege escalation and to manage containers
       outside of Kubernetes, and hence should not be allowed. This policy validates that
       the sockets used for CRI engines Docker, Containerd, and CRI-O are not used.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-docker-sock-mount

diff --git a/...templates/disallow_default_namespace.yaml → ...-k8s/pols/disallow_default_namespace.yaml b/...templates/disallow_default_namespace.yaml → ...-k8s/pols/disallow_default_namespace.yaml
@@ -6,6 +6,7 @@ metadata:
     pod-policies.kyverno.io/autogen-controllers: none
     policies.kyverno.io/title: Disallow Default Namespace
     policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/category: Multi-Tenancy
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
@@ -18,7 +19,7 @@ metadata:
       due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
       object and not at the Pod template level.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: validate-namespace

diff --git a/...emplates/disallow_empty_ingress_host.yaml → ...k8s/pols/disallow_empty_ingress_host.yaml b/...emplates/disallow_empty_ingress_host.yaml → ...k8s/pols/disallow_empty_ingress_host.yaml
@@ -1,20 +1,20 @@
-{{- $name := "disallow-empty-ingress-host" }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: {{ $name }}
+  name: disallow-empty-ingress-host
   annotations:
     policies.kyverno.io/title: Disallow empty Ingress host
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
       An ingress resource needs to define an actual host name
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: {{ include "vfa-for-pol" (dict "Values" .Values "polname" $name) }}
-  background: {{ include "bgscan-for-pol" (dict "Values" .Values "polname" $name) }}
+  validationFailureAction: Audit
+  background: false
   rules:
     - name: disallow-empty-ingress-host
       match:
@@ -25,6 +25,6 @@ spec:
         message: "The Ingress host name must be defined, not empty."
         deny:
           conditions:
-            - key: "{{`{{`}} request.object.spec.rules[].host || `[]` | length(@) {{`}}`}}"
+            - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
               operator: NotEquals
-              value: "{{`{{`}} request.object.spec.rules[].http || `[]` | length(@) {{`}}`}}"
+              value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"
diff --git a/...curity/templates/disallow_latest_tag.yaml → ...actices-k8s/pols/disallow_latest_tag.yaml b/...curity/templates/disallow_latest_tag.yaml → ...actices-k8s/pols/disallow_latest_tag.yaml
@@ -6,14 +6,15 @@ metadata:
     policies.kyverno.io/title: Disallow Latest Tag
     policies.kyverno.io/category: Best Practices
     policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.10.0
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
       The ':latest' tag is mutable and can lead to unexpected errors if the
       image changes. A best practice is to use an immutable tag that maps to
       a specific version of an application Pod. This policy validates that the image
       specifies a tag and that it is not called `latest`.
 spec:
-  validationFailureAction: audit
+  validationFailureAction: Audit
   background: true
   rules:
   - name: require-image-tag