Merge branch 'update-kyverno-policies-tag-1.1.0-bb.0' into 'master'

Kyverno Policies: Remove disallow-shared-subpath-volume-writes policy See merge request platform-one/big-bang/bigbang!2377

Merge branch 'update-kyverno-policies-tag-1.1.0-bb.0' into 'master'
9a26b7e3 · Micah Nagel · 022baa72 · c0f6fa63 · 9a26b7e3 · 9a26b7e3
Commit 9a26b7e3 authored 2 years ago by Micah Nagel
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -121,84 +121,6 @@ policies:
      {{- end }}
  {{- end }}

-{{- if or (.Values.addons.gitlab.enabled) (and (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) (.Release.IsUpgrade)) .Values.addons.keycloak.enabled }}
-  disallow-shared-subpath-volume-writes:
-    # Subpath volumes can be used in combination with symlinks to break out into the host filesystem
-    exclude:
-      any:
-      - resources:
-          namespaces:
-          {{- if .Values.addons.gitlab.enabled }}
-          - gitlab
-          {{- end }}
-          {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
-          - twistlock
-          {{- end }}
-          {{- if .Values.addons.keycloak.enabled }}
-          - keycloak
-          {{- end }}
-          names:
-          {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
-          - volume-upgrade-job*
-          {{- end }}
-          {{- if .Values.addons.gitlab.enabled }}
-          # Volume `toolbox-secrets` is an emptyDir mounted read/write in initContainer `configure`
-          # It is also mounted in the container `toolbox` using a subPath, making it open to the
-          # vulnerability.  The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume.  The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-toolbox*
-          # Volume `sidekiq-secrets` is an emptyDir mounted read/write in initContainer `configure`
-          # It is also mounted in the containers `sidekiq` and `dependencies` using a subPath,
-          # making it open to the vulnerability.  The initContainer uses a shell script, stored in
-          # a configmap, to copies values from a readOnly projected volume holding secrets/configmap
-          # items, into the shared volume.  The shared volume is mounted with subpaths pointing to
-          # specific files in the container.
-          - gitlab-sidekiq*
-          # Volume `webservice-secrets` is an emptyDir mounted read/write in initContainer `configure`
-          # It is also mounted in the containers `webservice` and `dependencies` using a subPath,
-          # making it open to the vulnerability.  The initContainer uses a shell script, stored in
-          # a configmap, to copies values from a readOnly projected volume holding secrets/configmap
-          # items, into the shared volume.  The shared volume is mounted with subpaths pointing to
-          # specific files in the container.
-          - gitlab-webservice-default*
-          # Volume `migrations-secrets` is an emptyDir mounted read/write in initContainer `configure`
-          # It is also mounted in the container `migrations` using a subPath, making it open to the
-          # vulnerability.  The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume.  The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-migrations*
-          # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
-          # It is also mounted in the container `registry` using a subPath, making it open to the
-          # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-registry*
-          # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
-          # It is also mounted in the container `gitlab-exporter` using a subPath, making it open to the
-          # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-gitlab-exporter*
-          # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
-          # It is also mounted in the container `gitlab-shell` using a subPath, making it open to the
-          # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-gitlab-shell*
-          # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
-          # It is also mounted in the container `gitaly` using a subPath, making it open to the
-          # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
-          # values from a readOnly projected volume holding secrets/configmap items, into the shared
-          # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
-          - gitlab-gitaly*
-          {{- end }}
-          {{- if .Values.addons.keycloak.enabled }}
-          # Volumes using emptyDir shared with initContainers to inject custom provider plugins or custom themes
-          - keycloak-*
-          {{- end }}
-  {{- end }}
-
  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
  disallow-tolerations:
    exclude:

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -399,7 +399,7 @@ kyvernopolicies:
  git:
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git
    path: ./chart
-    tag: "1.0.1-bb.12"
+    tag: "1.1.0-bb.0"

  # -- Flux reconciliation overrides specifically for the Kyverno Package
  flux: {}

--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -395,25 +395,8 @@ kyvernopolicies:
          - 'kyverno-policies-bbtest/test: required'
          - kyverno-policies-bbtest/required
      require-image-signature:
-        # Policy needs to be disabled in CI when two matches/attestors are present due to a bug where all matching images are checked against all attestors
-        # https://github.com/kyverno/kyverno/pull/5956
-        enabled: false
        parameters:
          require:
-          - imageReferences:
-            - "registry1.dso.mil/ironbank/*"
-            attestors:
-            - count: 1
-              entries:
-              - keys:
-                  publicKeys: |-
-                    -----BEGIN PUBLIC KEY-----
-                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
-                    UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-                    -----END PUBLIC KEY-----
-            # Ironbank images are rebuilt nightly and tags are not immutable
-            mutateDigest: false
-            verifyDigest: false
          - imageReferences:
            - "ghcr.io/kyverno/test-verify-image:*"
            attestors:
@@ -425,6 +408,20 @@ kyvernopolicies:
                    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
                    5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
                    -----END PUBLIC KEY-----
+          # - imageReferences:
+          #   - "registry1.dso.mil/ironbank/*"
+          #   attestors:
+          #   - count: 1
+          #     entries:
+          #     - keys:
+          #         publicKeys: |-
+          #           -----BEGIN PUBLIC KEY-----
+          #           MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
+          #           UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
+          #           -----END PUBLIC KEY-----
+          #   # Ironbank images are rebuilt nightly and tags are not immutable
+          #   mutateDigest: false
+          #   verifyDigest: false
      require-labels:
        parameters:
          require: