Kyverno Policies: Remove disallow-shared-subpath-volume-writes policy

Package Merge Request

Package Changes

https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies/-/blob/1.1.0-bb.0/CHANGELOG.md

Additionally this MR re-enables the image signature policy in CI, with a commented out IB key to prevent the bug with this policy.

Package MR

https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/kyverno-policies/-/merge_requests/61

Release upgrade notice

Kyverno Policies:

• This release completely removes the disallow-shared-subpath-volume-writes policy
• This policy was intended to prevent exploitation of a CVE in older k8s versions, however all vulnerable k8s versions are now EOL
• If you do not upgrade the Kyverno Policies package this release you will need to disable this policy or add exceptions for a number of packages, the necessary exceptions for this policy are no longer maintained by Big Bang
• To disable the policy entirely use the below values:

  kyvernopolicies:
    values:
      policies:
        disallow-shared-subpath-volume-writes:
          enabled: false

added botmr statusreview + 1 deleted label

assigned to @project_2872_bot2

changed the description

requested review from @micah.nagel, @BrandenCobb, @ryan.j.garcia, and @rob.ferguson

changed title from Draft: Updated kyverno-policies git tag to Draft: Kyverno Policies: Remove disallow-shared-subpath-volume-writes policy

changed milestone to %1.52.0

removed review request for @micah.nagel

assigned to @micah.nagel

added 1 commit

• 4c947150 - cleanup

Compare with previous version

changed the description

requested review from @michaelmcleroy

marked this merge request as ready

Any feedback on the upgrade notice/decision to remove the exceptions would be appreciated. It shouldn't matter, provided a user upgrades to the newer kyverno policies at the same time as upgrading to 1.52.0. The only issue would be if they only upgrade to 1.52.0 but pin to an older policy version - they would lose all exceptions of the subpath policy.

I think this is acceptable, with the inclusion of a release note, and would prefer to just get all of this out of our code at once rather than needing to remember about this legacy exception list in the future.

added 33 commits

• 4c947150...ee1a330c - 32 commits from branch master
• 893c423e - Merge branch 'master' into update-kyverno-policies-tag-1.1.0-bb.0

Compare with previous version

resolved all threads

approved this merge request

resolved all threads

merged

mentioned in commit 9a26b7e3

mentioned in issue #1406 (closed)