Merge branch 'update-kyverno-policies-tag-3.3.4-bb.3' into 'master'

kyvernoPolicies update to 3.3.4-bb.3

Closes big-bang/product/packages/kyverno-policies#150

See merge request !5718

chart/templates/kyverno-policies/values.yaml

@@ -13,6 +13,72 @@ waitforready:
   - name: private-registry
 
 policies:
+  add-default-capability-drop:
+    validationFailureAction: Enforce
+    exclude:
+      any:
+      {{- if .Values.neuvector.enabled }}
+      # Neuvector needs access to host to inspect network traffic
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+          - neuvector-cert-upgrader-job*
+          - neuvector-controller-pod*
+          - neuvector-scanner-pod*
+          - neuvector-prometheus-exporter-pod*
+      {{- end }}
+      {{- if .Values.addons.holocron.enabled }}
+      - resources:
+          namespaces:
+          - holocron
+          names:
+          - holocron-postgresql-0
+      {{- end }}
+      {{- if .Values.addons.velero.enabled }}
+      - resources:
+          namespaces:
+          - velero
+          names:
+          - velero-backup-restore-test*
+      {{- end }}
+      {{- if .Values.addons.gitlabRunner.enabled }}
+      - resources:
+          namespaces:
+          - gitlab-runner
+          names:
+          - runner*
+      {{- end }}
+      {{- if .Values.addons.gitlab.enabled }}
+      - resources:
+          namespaces:
+          - gitlab
+          names:
+          - webservice-test-runner*
+      {{- end }}
+      {{- if .Values.twistlock.enabled }}
+      - resources:
+          namespaces:
+          - twistlock
+          names:
+          - twistlock-defender-ds*
+          - volume-upgrade*
+      {{- end }}
+      {{- if .Values.addons.mimir.enabled }}
+      - resources:
+          namespaces:
+          - mimir
+          names:
+          - mimir-mimir-smoke-test*
+      {{- end }}
+      {{- if .Values.addons.vault.enabled }}
+      - resources:
+          namespaces:
+          - vault
+          names:
+          - vault-vault-job-init*
+      {{- end }}
 
   {{- if or .Values.twistlock.enabled .Values.neuvector.enabled }}
   disallow-host-namespaces:

chart/values.yaml

@@ -647,11 +647,11 @@ kyvernoPolicies:
   git:
     repo: https://repo1.dso.mil/big-bang/product/packages/kyverno-policies.git
     path: ./chart
-    tag: "3.3.4-bb.1"
+    tag: "3.3.4-bb.3"
   helmRepo:
     repoName: "registry1"
     chartName: "kyverno-policies"
-    tag: "3.3.4-bb.1"
+    tag: "3.3.4-bb.3"
 
   # -- Flux reconciliation overrides specifically for the Kyverno Package
   flux: {}

tests/test-values.yaml

@@ -503,6 +503,21 @@ kyvernoPolicies:
     # Parameters are copied from kyverno policies for test vectors
     # Exclusions are for allowing other helm tests to function
     policies:
+      add-default-capability-drop:
+        exclude:
+          any:
+          # Need to be able to test the `require-drop-all-capabilities` policy
+          # without this policy mutating the podspecs and adding the "missing" capability
+          - resources:
+              namespaces:
+              - default
+              names:
+              - require-drop-all-capabilities*
+          - resources:
+              namespaces:
+              - argocd
+              names:
+              - guestbook-ui-*
       clone-configs:
         parameters:
           clone: