diff --git a/chart/templates/kyverno/policies/values.yaml b/chart/templates/kyverno/policies/values.yaml
index a3c1c75dd1026373c08e2b3ceb0630859a46fa6a..39e1afdaf82a2f52b888ff7847b7f5b345c5fb2d 100644
--- a/chart/templates/kyverno/policies/values.yaml
+++ b/chart/templates/kyverno/policies/values.yaml
@@ -121,84 +121,6 @@ policies:
{{- end }}
{{- end }}
-{{- if or (.Values.addons.gitlab.enabled) (and (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) (.Release.IsUpgrade)) .Values.addons.keycloak.enabled }}
- disallow-shared-subpath-volume-writes:
- # Subpath volumes can be used in combination with symlinks to break out into the host filesystem
- exclude:
- any:
- - resources:
- namespaces:
- {{- if .Values.addons.gitlab.enabled }}
- - gitlab
- {{- end }}
- {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
- - twistlock
- {{- end }}
- {{- if .Values.addons.keycloak.enabled }}
- - keycloak
- {{- end }}
- names:
- {{- if (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) }}
- - volume-upgrade-job*
- {{- end }}
- {{- if .Values.addons.gitlab.enabled }}
- # Volume `toolbox-secrets` is an emptyDir mounted read/write in initContainer `configure`
- # It is also mounted in the container `toolbox` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-toolbox*
- # Volume `sidekiq-secrets` is an emptyDir mounted read/write in initContainer `configure`
- # It is also mounted in the containers `sidekiq` and `dependencies` using a subPath,
- # making it open to the vulnerability. The initContainer uses a shell script, stored in
- # a configmap, to copies values from a readOnly projected volume holding secrets/configmap
- # items, into the shared volume. The shared volume is mounted with subpaths pointing to
- # specific files in the container.
- - gitlab-sidekiq*
- # Volume `webservice-secrets` is an emptyDir mounted read/write in initContainer `configure`
- # It is also mounted in the containers `webservice` and `dependencies` using a subPath,
- # making it open to the vulnerability. The initContainer uses a shell script, stored in
- # a configmap, to copies values from a readOnly projected volume holding secrets/configmap
- # items, into the shared volume. The shared volume is mounted with subpaths pointing to
- # specific files in the container.
- - gitlab-webservice-default*
- # Volume `migrations-secrets` is an emptyDir mounted read/write in initContainer `configure`
- # It is also mounted in the container `migrations` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-migrations*
- # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
- # It is also mounted in the container `registry` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-registry*
- # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
- # It is also mounted in the container `gitlab-exporter` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-gitlab-exporter*
- # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
- # It is also mounted in the container `gitlab-shell` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-gitlab-shell*
- # Volume `etc-ssl-certs` is an emptyDir mounted read/write in initContainer `certificates`
- # It is also mounted in the container `gitaly` using a subPath, making it open to the
- # vulnerability. The initContainer uses a shell script, stored in a configmap, to copies
- # values from a readOnly projected volume holding secrets/configmap items, into the shared
- # volume. The shared volume is mounted with subpaths pointing to specific files in the container.
- - gitlab-gitaly*
- {{- end }}
- {{- if .Values.addons.keycloak.enabled }}
- # Volumes using emptyDir shared with initContainers to inject custom provider plugins or custom themes
- - keycloak-*
- {{- end }}
- {{- end }}
-
{{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
disallow-tolerations:
exclude:
diff --git a/chart/values.yaml b/chart/values.yaml
index 77dfb10e2a532c7666a4009eaeec154a29259dd1..a48100367bff659095d53757f4416bd63f069fcd 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -399,7 +399,7 @@ kyvernopolicies:
git:
repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies.git
path: ./chart
- tag: "1.0.1-bb.12"
+ tag: "1.1.0-bb.0"
# -- Flux reconciliation overrides specifically for the Kyverno Package
flux: {}
diff --git a/tests/test-values.yaml b/tests/test-values.yaml
index efd997b723ecc49f03cb2aa4c8c4f62d8f5bcc70..9fca696b74e16e53c45a1258005ed2af4f8af474 100644
--- a/tests/test-values.yaml
+++ b/tests/test-values.yaml
@@ -395,25 +395,8 @@ kyvernopolicies:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
require-image-signature:
- # Policy needs to be disabled in CI when two matches/attestors are present due to a bug where all matching images are checked against all attestors
- # https://github.com/kyverno/kyverno/pull/5956
- enabled: false
parameters:
require:
- - imageReferences:
- - "registry1.dso.mil/ironbank/*"
- attestors:
- - count: 1
- entries:
- - keys:
- publicKeys: |-
- -----BEGIN PUBLIC KEY-----
- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
- UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
- -----END PUBLIC KEY-----
- # Ironbank images are rebuilt nightly and tags are not immutable
- mutateDigest: false
- verifyDigest: false
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
@@ -425,6 +408,20 @@ kyvernopolicies:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
+ # - imageReferences:
+ # - "registry1.dso.mil/ironbank/*"
+ # attestors:
+ # - count: 1
+ # entries:
+ # - keys:
+ # publicKeys: |-
+ # -----BEGIN PUBLIC KEY-----
+ # MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
+ # UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
+ # -----END PUBLIC KEY-----
+ # # Ironbank images are rebuilt nightly and tags are not immutable
+ # mutateDigest: false
+ # verifyDigest: false
require-labels:
parameters:
require: